[Touch-packages] [Bug 827151] Re: Annoying log message "DIGEST-MD5 common mech free"
Fixed in https://launchpad.net/ubuntu/+source/cyrus-sasl2/2.1.28+dfsg-6 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu. https://bugs.launchpad.net/bugs/827151 Title: Annoying log message "DIGEST-MD5 common mech free" Status in Cyrus-sasl2: Fix Released Status in cyrus-sasl2 package in Ubuntu: Triaged Status in cyrus-sasl2 source package in Trusty: Won't Fix Status in cyrus-sasl2 source package in Xenial: Incomplete Status in cyrus-sasl2 source package in Yakkety: Fix Released Status in cyrus-sasl2 source package in Focal: Triaged Status in cyrus-sasl2 source package in Impish: Triaged Status in cyrus-sasl2 source package in Jammy: In Progress Status in cyrus-sasl2 package in Debian: Fix Released Bug description: I recently updated the libsasl2-modules to 2.1.24~rc1.dfsg1+cvs2011-05-23-4ubuntu1 in oneiric. That triggered the bug also described in Debian here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=631932 The annoying message is logged in auth.log. In my case, it is associated with svnserve: svnserve: DIGEST-MD5 common mech free I'm not exactly sure what action triggers the message, but I can investigate more if required. $ lsb_release -rd Description:Ubuntu oneiric (development branch) Release:11.10 To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/827151/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1971272] Re: Merge cyrus-sasl2 from Debian unstable for kinetic
It's back to being a sync: https://launchpad.net/ubuntu/+source/cyrus- sasl2/2.1.28+dfsg-6 ** Changed in: cyrus-sasl2 (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu. https://bugs.launchpad.net/bugs/1971272 Title: Merge cyrus-sasl2 from Debian unstable for kinetic Status in cyrus-sasl2 package in Ubuntu: Fix Released Bug description: Upstream: tbd Debian: 2.1.28+dfsg-4 Ubuntu: 2.1.27+dfsg2-3ubuntu1 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. ### New Debian Changes ### cyrus-sasl2 (2.1.28+dfsg-4) unstable; urgency=medium * d/copyright: java/* files were removed upstream * d/copyright: Reformat the default license's margin * d/copyright: Add project's license to include/makemd5.c * Move SCRAM to libsasl2-modules (Closes: #977360) * Install additional GS2 module for Heimdal * Remove Roberto from the Uploaders * Drop 0005-Fixes-in-library-mutexes.patch * Drop 0021-Fix-keytab-option-for-MIT-Kerberos.patch * Remove former logcheck conffile (Closes: #1009851) * lintian: Fix excessive-priority-for-library-package * lintian: Fix package-contains-empty-directory -- Bastian Germann Wed, 20 Apr 2022 01:01:01 +0200 cyrus-sasl2 (2.1.28+dfsg-3) unstable; urgency=high * Set MIT/Heimdal CFLAGS instead of CPPFLAGS * Drop unnecessary 0027-properly-create-libsasl2.pc.patch * Prevent installing outdated ChangeLog (Closes: #1009681) * Remove debug log message and its logcheck rule (Closes: #805310) * Self-reference pluginviewer man as saslpluginviewer (Closes: #1009380) * Get rid of broken README.configure-options * Add sasldbconverter2.8 manpage * d/copyright: Add missing KTH license * Install libsasl.5 manpage [ Debian Janitor ] * Remove constraints unnecessary since buster -- Bastian Germann Fri, 15 Apr 2022 12:02:13 +0200 cyrus-sasl2 (2.1.28+dfsg-2) unstable; urgency=medium * Remove cruft -- Bastian Germann Fri, 25 Feb 2022 18:58:54 +0100 cyrus-sasl2 (2.1.28+dfsg-1) experimental; urgency=medium * Drop upstream patches * Import new release signing key * Reset repacksuffix * New upstream version 2.1.28+dfsg (CVE-2022-24407) * Rebase 0027-properly-create-libsasl2.pc.patch -- Bastian Germann Tue, 22 Feb 2022 23:40:47 +0100 cyrus-sasl2 (2.1.27+dfsg2-3) unstable; urgency=medium [ Andreas Hasenack ] * Fix configure.ac for autoconf 2.70 (Closes: #1003355, #1000152) -- Bastian Germann Tue, 11 Jan 2022 11:25:37 +0100 cyrus-sasl2 (2.1.27+dfsg2-2) unstable; urgency=medium [ Helmut Grohne ] * Fix FTCBFS: (Closes: #928512) + cross.patch: Support caching SPNEGO support test. + Provide SPNEGO support test result. [ Vagrant Cascadian ] * Set date in man pages (Closes: #995145) -- Bastian Germann Wed, 17 Nov 2021 01:23:49 +0100 cyrus-sasl2 (2.1.27+dfsg2-1) unstable; urgency=medium * Add bage to uploaders (Closes: #799864) * Use upstream patches where possible * Amend off-by-one in _sasl_add_string function * Replace some patches by upstream equivalents * Apply the patches in order of to their prefixes * Add missing caret (^) in logcheck rule (Closes: #830764) * Remove unnecessary GPL copy * Add missing copyright/licenses * Repack, getting rid of more problematic files * Build html documentation * Make the package rebuildable * Remove outdated README.Debian info * Disable autostart via debhelper * Drop unnecessary patch * Remove alternative, old build dep libmysqlclient-dev Annotate documentation Build-Depends with :native [ Frédéric Brière ] * Make logcheck snippet compatible with systemd journal -- Bastian Germann Sun, 14 Nov 2021 14:11:18 +0100 cyrus-sasl2 (2.1.27+dfsg-2.3) unstable; urgency=medium * Non-maintainer upload. * d/watch: Check the github releases page * Get rid of a patch's patch * Recover upstream-compatible patch license (Closes: #996866) + Relicense libobj patch * Fix lintian: unused-override ### Old Ubuntu Delta ### cyrus-sasl2 (2.1.27+dfsg2-3ubuntu1) jammy; urgency=medium * SECURITY UPDATE: SQL injection in SQL plugin - debian/patches/CVE-2022-24407.patch: escape password for SQL insert/update commands in plugins/sql.c. - CVE-2022-24407 -- Marc Deslauriers Tue, 22 Feb 2022 14:17:18 -0500 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1971272/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~to
[Touch-packages] [Bug 1677781] Re: Missing dep8 tests
Fixed in https://launchpad.net/ubuntu/+source/cyrus-sasl2/2.1.28+dfsg-6 ** Changed in: cyrus-sasl2 (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu. https://bugs.launchpad.net/bugs/1677781 Title: Missing dep8 tests Status in cyrus-sasl2 package in Ubuntu: Fix Released Bug description: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 As of March 29, 2017, this source package did not contain dep8 tests in the current development release of Ubuntu, named Zesty. This was determined by running `pull-lp-source cyrus-sasl2 zesty` and then checking for the existence of 'debian/tests/' and 'debian/tests/control'. Test automation is essential to higher levels of quality and confidence in updates to packages. dep8 tests [1] specify how automatic testing can be integrated into packages and then run by package maintainers before new uploads. This defect is to report the absence of these tests and to report the opportunity as a potential item for development by both new and experienced contributors. [1] http://packaging.ubuntu.com/html/auto-pkg-test.html affects ubuntu/cyrus-sasl2 status new importance wishlist tag needs-dep8 - --- Joshua Powers Ubuntu Server Canonical Ltd -BEGIN PGP SIGNATURE- iQIcBAEBCAAGBQJY3XaTAAoJEIP8BxPaZgwlJr8P/j8yn8mXWnAIiXUgHX7jBIGj JuMQGO5wwcfHRxOwJEOlsO/SIATUN1L1BB84anP7Bp4cfLqXonF8eKFPkEotwaf1 3wADCH98EwLuSyJOaKXsTQHppAKdJ6UEW4jHvfhYizenEWssPfCQdg68LSGZ2enR wD9ZhZgjwJIpLbqDTp7ygklR0htf4ZAFq/vIcyLykT6qagVE3xC8SAgd+7tb/fYe 4PYfqgGso/qpL0v6JL+YkCKH/aiMYV+HD45o1NcUbGdoiuUa9jpeYSSTP/9OgWpY nALDXe/dJZT/wz5Zv0cy6sGRh7gtjVqI0608WAM00Jp8CmFX60z4yrq/3t37wKbz iDQF4HyltqfCNF5oQ6xva9xAq/c2tyP8nBHzQ+ZtH/o1hyS/JdgoR38OojldyUc5 WzcTFL+h612ZVZVNm4lqBpg/0dpEkwXTE9KczyB5kSr5VVz0WXtjU5wFxKMdZpr5 Gq9uM+fHU4YHQqfGGZxmHFOgz7tCAyEsZEzpnPiYvoSksj3tJMkQG7FbIISltort CBAwLIt1hLR9g4T3p0e4ipCJf6kL/yZR3kMGhsjbDe012bTaC8ZeLG7VYmWkBaxY ieFMZIxmGgCq7KjDfNPh9JEmCtNgenkEOu6BszZK+gwmhL/AxVuuNRdd5OeBGy3G WY9JzBOc6MUi46Hh9ZN5 =szTz -END PGP SIGNATURE- To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1677781/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1973760] Re: Crash when using DIGEST-MD5 with SSF>=128
Fixed in https://launchpad.net/ubuntu/+source/cyrus-sasl2/2.1.28+dfsg-6 ** Changed in: cyrus-sasl2 (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu. https://bugs.launchpad.net/bugs/1973760 Title: Crash when using DIGEST-MD5 with SSF>=128 Status in cyrus-sasl2 package in Ubuntu: Fix Released Status in cyrus-sasl2 package in Debian: Fix Released Bug description: I'm still troubleshooting this, but at the moment apps negotiating a DIGEST-MD5 authentication and requesting some form of transport encryption (ssf != 0) are crashing. The only example I have so far is the openldap client tools (so just one app really). ssf=0 works: $ ldapwhoami -U ubuntu@lxd -w ubuntusecret -O maxssf=0 SASL/DIGEST-MD5 authentication started SASL username: ubuntu@lxd SASL SSF: 0 dn:uid=ubuntu@lxd,cn=vms,cn=digest-md5,cn=auth ssf=128 crashes: $ ldapwhoami -U ubuntu@lxd -w ubuntusecret -O maxssf=128 SASL/DIGEST-MD5 authentication started SASL username: ubuntu@lxd SASL SSF: 128 SASL data security layer installed. Segmentation fault (core dumped) The crash seems to be inside openssl. I'll get a proper stack trace. 2.1.27, also built with openssl3, does not crash. So far only 2.1.28 (in kinetic-proposed). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1973760/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1973760] Re: Crash when using DIGEST-MD5 with SSF>=128
A fixed cyrus-sasl2 is in kinetic-proposed. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu. https://bugs.launchpad.net/bugs/1973760 Title: Crash when using DIGEST-MD5 with SSF>=128 Status in cyrus-sasl2 package in Ubuntu: In Progress Status in cyrus-sasl2 package in Debian: New Bug description: I'm still troubleshooting this, but at the moment apps negotiating a DIGEST-MD5 authentication and requesting some form of transport encryption (ssf != 0) are crashing. The only example I have so far is the openldap client tools (so just one app really). ssf=0 works: $ ldapwhoami -U ubuntu@lxd -w ubuntusecret -O maxssf=0 SASL/DIGEST-MD5 authentication started SASL username: ubuntu@lxd SASL SSF: 0 dn:uid=ubuntu@lxd,cn=vms,cn=digest-md5,cn=auth ssf=128 crashes: $ ldapwhoami -U ubuntu@lxd -w ubuntusecret -O maxssf=128 SASL/DIGEST-MD5 authentication started SASL username: ubuntu@lxd SASL SSF: 128 SASL data security layer installed. Segmentation fault (core dumped) The crash seems to be inside openssl. I'll get a proper stack trace. 2.1.27, also built with openssl3, does not crash. So far only 2.1.28 (in kinetic-proposed). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1973760/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1973760] Re: Crash when using DIGEST-MD5 with SSF>=128
Bileto is green: https://bileto.ubuntu.com/#/ticket/4852 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu. https://bugs.launchpad.net/bugs/1973760 Title: Crash when using DIGEST-MD5 with SSF>=128 Status in cyrus-sasl2 package in Ubuntu: In Progress Status in cyrus-sasl2 package in Debian: New Bug description: I'm still troubleshooting this, but at the moment apps negotiating a DIGEST-MD5 authentication and requesting some form of transport encryption (ssf != 0) are crashing. The only example I have so far is the openldap client tools (so just one app really). ssf=0 works: $ ldapwhoami -U ubuntu@lxd -w ubuntusecret -O maxssf=0 SASL/DIGEST-MD5 authentication started SASL username: ubuntu@lxd SASL SSF: 0 dn:uid=ubuntu@lxd,cn=vms,cn=digest-md5,cn=auth ssf=128 crashes: $ ldapwhoami -U ubuntu@lxd -w ubuntusecret -O maxssf=128 SASL/DIGEST-MD5 authentication started SASL username: ubuntu@lxd SASL SSF: 128 SASL data security layer installed. Segmentation fault (core dumped) The crash seems to be inside openssl. I'll get a proper stack trace. 2.1.27, also built with openssl3, does not crash. So far only 2.1.28 (in kinetic-proposed). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1973760/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1973760] Re: Crash when using DIGEST-MD5 with SSF>=128
Submitted the cyrus-sasl2 fix to Debian via https://salsa.debian.org/debian/cyrus-sasl2/-/merge_requests/11 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu. https://bugs.launchpad.net/bugs/1973760 Title: Crash when using DIGEST-MD5 with SSF>=128 Status in cyrus-sasl2 package in Ubuntu: In Progress Status in cyrus-sasl2 package in Debian: New Bug description: I'm still troubleshooting this, but at the moment apps negotiating a DIGEST-MD5 authentication and requesting some form of transport encryption (ssf != 0) are crashing. The only example I have so far is the openldap client tools (so just one app really). ssf=0 works: $ ldapwhoami -U ubuntu@lxd -w ubuntusecret -O maxssf=0 SASL/DIGEST-MD5 authentication started SASL username: ubuntu@lxd SASL SSF: 0 dn:uid=ubuntu@lxd,cn=vms,cn=digest-md5,cn=auth ssf=128 crashes: $ ldapwhoami -U ubuntu@lxd -w ubuntusecret -O maxssf=128 SASL/DIGEST-MD5 authentication started SASL username: ubuntu@lxd SASL SSF: 128 SASL data security layer installed. Segmentation fault (core dumped) The crash seems to be inside openssl. I'll get a proper stack trace. 2.1.27, also built with openssl3, does not crash. So far only 2.1.28 (in kinetic-proposed). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1973760/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1973760] Re: Crash when using DIGEST-MD5 with SSF>=128
** Bug watch added: Debian Bug tracker #1011249 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011249 ** Also affects: cyrus-sasl2 (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011249 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu. https://bugs.launchpad.net/bugs/1973760 Title: Crash when using DIGEST-MD5 with SSF>=128 Status in cyrus-sasl2 package in Ubuntu: In Progress Status in cyrus-sasl2 package in Debian: Unknown Bug description: I'm still troubleshooting this, but at the moment apps negotiating a DIGEST-MD5 authentication and requesting some form of transport encryption (ssf != 0) are crashing. The only example I have so far is the openldap client tools (so just one app really). ssf=0 works: $ ldapwhoami -U ubuntu@lxd -w ubuntusecret -O maxssf=0 SASL/DIGEST-MD5 authentication started SASL username: ubuntu@lxd SASL SSF: 0 dn:uid=ubuntu@lxd,cn=vms,cn=digest-md5,cn=auth ssf=128 crashes: $ ldapwhoami -U ubuntu@lxd -w ubuntusecret -O maxssf=128 SASL/DIGEST-MD5 authentication started SASL username: ubuntu@lxd SASL SSF: 128 SASL data security layer installed. Segmentation fault (core dumped) The crash seems to be inside openssl. I'll get a proper stack trace. 2.1.27, also built with openssl3, does not crash. So far only 2.1.28 (in kinetic-proposed). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1973760/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1973760] Re: Crash when using DIGEST-MD5 with SSF>=128
Submitted python-bonsai DEP8 fixes to Debian via https://salsa.debian.org/python-team/packages/python- bonsai/-/merge_requests/1 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu. https://bugs.launchpad.net/bugs/1973760 Title: Crash when using DIGEST-MD5 with SSF>=128 Status in cyrus-sasl2 package in Ubuntu: In Progress Bug description: I'm still troubleshooting this, but at the moment apps negotiating a DIGEST-MD5 authentication and requesting some form of transport encryption (ssf != 0) are crashing. The only example I have so far is the openldap client tools (so just one app really). ssf=0 works: $ ldapwhoami -U ubuntu@lxd -w ubuntusecret -O maxssf=0 SASL/DIGEST-MD5 authentication started SASL username: ubuntu@lxd SASL SSF: 0 dn:uid=ubuntu@lxd,cn=vms,cn=digest-md5,cn=auth ssf=128 crashes: $ ldapwhoami -U ubuntu@lxd -w ubuntusecret -O maxssf=128 SASL/DIGEST-MD5 authentication started SASL username: ubuntu@lxd SASL SSF: 128 SASL data security layer installed. Segmentation fault (core dumped) The crash seems to be inside openssl. I'll get a proper stack trace. 2.1.27, also built with openssl3, does not crash. So far only 2.1.28 (in kinetic-proposed). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1973760/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1971272] Re: Merge cyrus-sasl2 from Debian unstable for kinetic
It's currently blocked on this (real) bug, for which I'm testing a few fixes already: https://bugs.launchpad.net/ubuntu/+source/python- bonsai/+bug/1973756 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu. https://bugs.launchpad.net/bugs/1971272 Title: Merge cyrus-sasl2 from Debian unstable for kinetic Status in cyrus-sasl2 package in Ubuntu: In Progress Bug description: Upstream: tbd Debian: 2.1.28+dfsg-4 Ubuntu: 2.1.27+dfsg2-3ubuntu1 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. ### New Debian Changes ### cyrus-sasl2 (2.1.28+dfsg-4) unstable; urgency=medium * d/copyright: java/* files were removed upstream * d/copyright: Reformat the default license's margin * d/copyright: Add project's license to include/makemd5.c * Move SCRAM to libsasl2-modules (Closes: #977360) * Install additional GS2 module for Heimdal * Remove Roberto from the Uploaders * Drop 0005-Fixes-in-library-mutexes.patch * Drop 0021-Fix-keytab-option-for-MIT-Kerberos.patch * Remove former logcheck conffile (Closes: #1009851) * lintian: Fix excessive-priority-for-library-package * lintian: Fix package-contains-empty-directory -- Bastian Germann Wed, 20 Apr 2022 01:01:01 +0200 cyrus-sasl2 (2.1.28+dfsg-3) unstable; urgency=high * Set MIT/Heimdal CFLAGS instead of CPPFLAGS * Drop unnecessary 0027-properly-create-libsasl2.pc.patch * Prevent installing outdated ChangeLog (Closes: #1009681) * Remove debug log message and its logcheck rule (Closes: #805310) * Self-reference pluginviewer man as saslpluginviewer (Closes: #1009380) * Get rid of broken README.configure-options * Add sasldbconverter2.8 manpage * d/copyright: Add missing KTH license * Install libsasl.5 manpage [ Debian Janitor ] * Remove constraints unnecessary since buster -- Bastian Germann Fri, 15 Apr 2022 12:02:13 +0200 cyrus-sasl2 (2.1.28+dfsg-2) unstable; urgency=medium * Remove cruft -- Bastian Germann Fri, 25 Feb 2022 18:58:54 +0100 cyrus-sasl2 (2.1.28+dfsg-1) experimental; urgency=medium * Drop upstream patches * Import new release signing key * Reset repacksuffix * New upstream version 2.1.28+dfsg (CVE-2022-24407) * Rebase 0027-properly-create-libsasl2.pc.patch -- Bastian Germann Tue, 22 Feb 2022 23:40:47 +0100 cyrus-sasl2 (2.1.27+dfsg2-3) unstable; urgency=medium [ Andreas Hasenack ] * Fix configure.ac for autoconf 2.70 (Closes: #1003355, #1000152) -- Bastian Germann Tue, 11 Jan 2022 11:25:37 +0100 cyrus-sasl2 (2.1.27+dfsg2-2) unstable; urgency=medium [ Helmut Grohne ] * Fix FTCBFS: (Closes: #928512) + cross.patch: Support caching SPNEGO support test. + Provide SPNEGO support test result. [ Vagrant Cascadian ] * Set date in man pages (Closes: #995145) -- Bastian Germann Wed, 17 Nov 2021 01:23:49 +0100 cyrus-sasl2 (2.1.27+dfsg2-1) unstable; urgency=medium * Add bage to uploaders (Closes: #799864) * Use upstream patches where possible * Amend off-by-one in _sasl_add_string function * Replace some patches by upstream equivalents * Apply the patches in order of to their prefixes * Add missing caret (^) in logcheck rule (Closes: #830764) * Remove unnecessary GPL copy * Add missing copyright/licenses * Repack, getting rid of more problematic files * Build html documentation * Make the package rebuildable * Remove outdated README.Debian info * Disable autostart via debhelper * Drop unnecessary patch * Remove alternative, old build dep libmysqlclient-dev Annotate documentation Build-Depends with :native [ Frédéric Brière ] * Make logcheck snippet compatible with systemd journal -- Bastian Germann Sun, 14 Nov 2021 14:11:18 +0100 cyrus-sasl2 (2.1.27+dfsg-2.3) unstable; urgency=medium * Non-maintainer upload. * d/watch: Check the github releases page * Get rid of a patch's patch * Recover upstream-compatible patch license (Closes: #996866) + Relicense libobj patch * Fix lintian: unused-override ### Old Ubuntu Delta ### cyrus-sasl2 (2.1.27+dfsg2-3ubuntu1) jammy; urgency=medium * SECURITY UPDATE: SQL injection in SQL plugin - debian/patches/CVE-2022-24407.patch: escape password for SQL insert/update commands in plugins/sql.c. - CVE-2022-24407 -- Marc Deslauriers Tue, 22 Feb 2022 14:17:18 -0500 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1971272/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help
[Touch-packages] [Bug 1973760] Re: Crash when using DIGEST-MD5 with SSF>=128
https://github.com/cyrusimap/cyrus-sasl/pull/668 ** Bug watch added: github.com/cyrusimap/cyrus-sasl/issues #665 https://github.com/cyrusimap/cyrus-sasl/issues/665 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu. https://bugs.launchpad.net/bugs/1973760 Title: Crash when using DIGEST-MD5 with SSF>=128 Status in cyrus-sasl2 package in Ubuntu: In Progress Bug description: I'm still troubleshooting this, but at the moment apps negotiating a DIGEST-MD5 authentication and requesting some form of transport encryption (ssf != 0) are crashing. The only example I have so far is the openldap client tools (so just one app really). ssf=0 works: $ ldapwhoami -U ubuntu@lxd -w ubuntusecret -O maxssf=0 SASL/DIGEST-MD5 authentication started SASL username: ubuntu@lxd SASL SSF: 0 dn:uid=ubuntu@lxd,cn=vms,cn=digest-md5,cn=auth ssf=128 crashes: $ ldapwhoami -U ubuntu@lxd -w ubuntusecret -O maxssf=128 SASL/DIGEST-MD5 authentication started SASL username: ubuntu@lxd SASL SSF: 128 SASL data security layer installed. Segmentation fault (core dumped) The crash seems to be inside openssl. I'll get a proper stack trace. 2.1.27, also built with openssl3, does not crash. So far only 2.1.28 (in kinetic-proposed). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1973760/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1973760] Re: Crash when using DIGEST-MD5 with SSF>=128
https://github.com/cyrusimap/cyrus-sasl/pull/653 https://github.com/cyrusimap/cyrus-sasl/issues/665 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu. https://bugs.launchpad.net/bugs/1973760 Title: Crash when using DIGEST-MD5 with SSF>=128 Status in cyrus-sasl2 package in Ubuntu: In Progress Bug description: I'm still troubleshooting this, but at the moment apps negotiating a DIGEST-MD5 authentication and requesting some form of transport encryption (ssf != 0) are crashing. The only example I have so far is the openldap client tools (so just one app really). ssf=0 works: $ ldapwhoami -U ubuntu@lxd -w ubuntusecret -O maxssf=0 SASL/DIGEST-MD5 authentication started SASL username: ubuntu@lxd SASL SSF: 0 dn:uid=ubuntu@lxd,cn=vms,cn=digest-md5,cn=auth ssf=128 crashes: $ ldapwhoami -U ubuntu@lxd -w ubuntusecret -O maxssf=128 SASL/DIGEST-MD5 authentication started SASL username: ubuntu@lxd SASL SSF: 128 SASL data security layer installed. Segmentation fault (core dumped) The crash seems to be inside openssl. I'll get a proper stack trace. 2.1.27, also built with openssl3, does not crash. So far only 2.1.28 (in kinetic-proposed). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1973760/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1973760] Re: Crash when using DIGEST-MD5 with SSF>=128
Working theory at the moment is that cyrus-sasl2 is using RC4 from OpenSSL, and OpenSSL3 deprecated it: On Kinetic: $ openssl version OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022) $ echo -ne test | openssl rc4 -k test *** WARNING : deprecated key derivation used. Using -iter or -pbkdf2 would be better. Error setting cipher RC4 4057FE8C0B7F:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (RC4 : 37), Properties () Salted__gG On Impish: $ openssl version OpenSSL 1.1.1l 24 Aug 2021 $ echo -ne test | openssl rc4 -k test *** WARNING : deprecated key derivation used. Using -iter or -pbkdf2 would be better. Salted__~T�|=�ʇ Jammy: $ openssl version OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022) $ echo -ne "test" | openssl rc4 -k test *** WARNING : deprecated key derivation used. Using -iter or -pbkdf2 would be better. Error setting cipher RC4 40078BF4127F:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:../crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (RC4 : 37), Properties () Salted__��N�x��� Both jammy and kinetic show "Error setting cipher RC4". Oh, and the stack trace confirming it's inside openssl: (gdb) bt #0 0x774085cb in EVP_EncryptUpdate (ctx=0x0, out=out@entry=0x555c7cf4 "0\036\002\001\004w\031\200\027\061.3.6.1.4.1.4203.1.11.3ST-MD5 client step 3", outl=outl@entry=0x7fffdbc4, in=0x555c8d50 "0\036\002\001\004w\031\200\027\061.3.6.1.4.1.4203.1.11.311.311.3", inl=32) at ../crypto/evp/evp_enc.c:614 #1 0x770a07a9 in enc_rc4 (text=0x55585e00, input=, inputlen=, digest=0x7fffdc20 "^\316@+\322}\a\334\006T\005\353:H}\036\260l\\UUU", output=0x555c7cf4 "0\036\002\001\004w\031\200\027\061.3.6.1.4.1.4203.1.11.3ST-MD5 client step 3", outputlen=0x7fffdda4) at ../../plugins/digestmd5.c:1201 #2 0x770a1ddb in digestmd5_encode (context=0x55585e00, invec=, numiov=, output=0x5559e708, outputlen=0x7fffdda4) at ../../plugins/digestmd5.c:1552 #3 0x77f33c3e in _sasl_encodev (conn=conn@entry=0x55586cf0, invec=invec@entry=0x7fffdd70, numiov=numiov@entry=1, p_num_packets=p_num_packets@entry=0x7fffdd0c, output=output@entry=0x5559e708, outputlen=outputlen@entry=0x7fffdda4) at ../../lib/common.c:359 #4 0x77f360a1 in sasl_encodev (conn=conn@entry=0x55586cf0, invec=invec@entry=0x7fffdd70, numiov=numiov@entry=1, output=output@entry=0x5559e708, outputlen=outputlen@entry=0x7fffdda4) at ../../lib/common.c:582 #5 0x77f361d0 in sasl_encode (conn=0x55586cf0, input=, inputlen=, output=output@entry=0x5559e708, outputlen=outputlen@entry=0x7fffdda4) at ../../lib/common.c:304 #6 0x77f665ba in sb_sasl_cyrus_encode (p=0x5559e680, buf=, len=, dst=0x5559e6f0) at ../../../../libraries/libldap/cyrus.c:134 #7 0x77f66b90 in sb_sasl_generic_write (sbiod=0x55585a30, buf=0x555c8d50, len=) at ../../../../libraries/libldap/sasl.c:783 #8 0x77f4ad3c in sb_debug_write (sbiod=0x55586aa0, buf=0x555c8d50, len=32) at ../../../../libraries/liblber/sockbuf.c:854 #9 0x77f50105 in ber_int_sb_write (sb=sb@entry=0x55585900, buf=0x555c8d50, len=len@entry=32) at ../../../../libraries/liblber/sockbuf.c:445 #10 0x77f5027b in ber_flush2 (sb=0x55585900, ber=0x555c7c90, freeit=freeit@entry=0) at ../../../../libraries/liblber/io.c:249 #11 0x77f7e0a7 in ldap_int_flush_request (ld=ld@entry=0x555834e0, lr=lr@entry=0x555c6cb0) at ../../../../libraries/libldap/request.c:186 #12 0x77f8001f in ldap_send_server_request (ld=ld@entry=0x555834e0, ber=ber@entry=0x555c7c90,
[Touch-packages] [Bug 1973760] Re: Crash when using DIGEST-MD5 with SSF>0
It's also crashing in debian: https://ci.debian.net/data/autopkgtest/unstable/amd64/p/python- bonsai/21842977/log.gz ** Summary changed: - Crash when using DIGEST-MD5 with SSF>0 + Crash when using DIGEST-MD5 with SSF>=128 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu. https://bugs.launchpad.net/bugs/1973760 Title: Crash when using DIGEST-MD5 with SSF>=128 Status in cyrus-sasl2 package in Ubuntu: In Progress Bug description: I'm still troubleshooting this, but at the moment apps negotiating a DIGEST-MD5 authentication and requesting some form of transport encryption (ssf != 0) are crashing. The only example I have so far is the openldap client tools (so just one app really). ssf=0 works: $ ldapwhoami -U ubuntu@lxd -w ubuntusecret -O maxssf=0 SASL/DIGEST-MD5 authentication started SASL username: ubuntu@lxd SASL SSF: 0 dn:uid=ubuntu@lxd,cn=vms,cn=digest-md5,cn=auth ssf=128 crashes: $ ldapwhoami -U ubuntu@lxd -w ubuntusecret -O maxssf=128 SASL/DIGEST-MD5 authentication started SASL username: ubuntu@lxd SASL SSF: 128 SASL data security layer installed. Segmentation fault (core dumped) The crash seems to be inside openssl. I'll get a proper stack trace. 2.1.27, also built with openssl3, does not crash. So far only 2.1.28 (in kinetic-proposed). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1973760/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1973760] [NEW] Crash when using DIGEST-MD5 with SSF>=128
Public bug reported: I'm still troubleshooting this, but at the moment apps negotiating a DIGEST-MD5 authentication and requesting some form of transport encryption (ssf != 0) are crashing. The only example I have so far is the openldap client tools (so just one app really). ssf=0 works: $ ldapwhoami -U ubuntu@lxd -w ubuntusecret -O maxssf=0 SASL/DIGEST-MD5 authentication started SASL username: ubuntu@lxd SASL SSF: 0 dn:uid=ubuntu@lxd,cn=vms,cn=digest-md5,cn=auth ssf=128 crashes: $ ldapwhoami -U ubuntu@lxd -w ubuntusecret -O maxssf=128 SASL/DIGEST-MD5 authentication started SASL username: ubuntu@lxd SASL SSF: 128 SASL data security layer installed. Segmentation fault (core dumped) The crash seems to be inside openssl. I'll get a proper stack trace. 2.1.27, also built with openssl3, does not crash. So far only 2.1.28 (in kinetic-proposed). ** Affects: cyrus-sasl2 (Ubuntu) Importance: High Assignee: Andreas Hasenack (ahasenack) Status: In Progress ** Tags: server-todo update-excuse update-excuses -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu. https://bugs.launchpad.net/bugs/1973760 Title: Crash when using DIGEST-MD5 with SSF>=128 Status in cyrus-sasl2 package in Ubuntu: In Progress Bug description: I'm still troubleshooting this, but at the moment apps negotiating a DIGEST-MD5 authentication and requesting some form of transport encryption (ssf != 0) are crashing. The only example I have so far is the openldap client tools (so just one app really). ssf=0 works: $ ldapwhoami -U ubuntu@lxd -w ubuntusecret -O maxssf=0 SASL/DIGEST-MD5 authentication started SASL username: ubuntu@lxd SASL SSF: 0 dn:uid=ubuntu@lxd,cn=vms,cn=digest-md5,cn=auth ssf=128 crashes: $ ldapwhoami -U ubuntu@lxd -w ubuntusecret -O maxssf=128 SASL/DIGEST-MD5 authentication started SASL username: ubuntu@lxd SASL SSF: 128 SASL data security layer installed. Segmentation fault (core dumped) The crash seems to be inside openssl. I'll get a proper stack trace. 2.1.27, also built with openssl3, does not crash. So far only 2.1.28 (in kinetic-proposed). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1973760/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1677781] Re: Missing dep8 tests
Sent new dep8 tests to debian, and then synced the package back into ubuntu: https://launchpad.net/ubuntu/+source/cyrus-sasl2/2.1.28+dfsg-5 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu. https://bugs.launchpad.net/bugs/1677781 Title: Missing dep8 tests Status in cyrus-sasl2 package in Ubuntu: In Progress Bug description: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 As of March 29, 2017, this source package did not contain dep8 tests in the current development release of Ubuntu, named Zesty. This was determined by running `pull-lp-source cyrus-sasl2 zesty` and then checking for the existence of 'debian/tests/' and 'debian/tests/control'. Test automation is essential to higher levels of quality and confidence in updates to packages. dep8 tests [1] specify how automatic testing can be integrated into packages and then run by package maintainers before new uploads. This defect is to report the absence of these tests and to report the opportunity as a potential item for development by both new and experienced contributors. [1] http://packaging.ubuntu.com/html/auto-pkg-test.html affects ubuntu/cyrus-sasl2 status new importance wishlist tag needs-dep8 - --- Joshua Powers Ubuntu Server Canonical Ltd -BEGIN PGP SIGNATURE- iQIcBAEBCAAGBQJY3XaTAAoJEIP8BxPaZgwlJr8P/j8yn8mXWnAIiXUgHX7jBIGj JuMQGO5wwcfHRxOwJEOlsO/SIATUN1L1BB84anP7Bp4cfLqXonF8eKFPkEotwaf1 3wADCH98EwLuSyJOaKXsTQHppAKdJ6UEW4jHvfhYizenEWssPfCQdg68LSGZ2enR wD9ZhZgjwJIpLbqDTp7ygklR0htf4ZAFq/vIcyLykT6qagVE3xC8SAgd+7tb/fYe 4PYfqgGso/qpL0v6JL+YkCKH/aiMYV+HD45o1NcUbGdoiuUa9jpeYSSTP/9OgWpY nALDXe/dJZT/wz5Zv0cy6sGRh7gtjVqI0608WAM00Jp8CmFX60z4yrq/3t37wKbz iDQF4HyltqfCNF5oQ6xva9xAq/c2tyP8nBHzQ+ZtH/o1hyS/JdgoR38OojldyUc5 WzcTFL+h612ZVZVNm4lqBpg/0dpEkwXTE9KczyB5kSr5VVz0WXtjU5wFxKMdZpr5 Gq9uM+fHU4YHQqfGGZxmHFOgz7tCAyEsZEzpnPiYvoSksj3tJMkQG7FbIISltort CBAwLIt1hLR9g4T3p0e4ipCJf6kL/yZR3kMGhsjbDe012bTaC8ZeLG7VYmWkBaxY ieFMZIxmGgCq7KjDfNPh9JEmCtNgenkEOu6BszZK+gwmhL/AxVuuNRdd5OeBGy3G WY9JzBOc6MUi46Hh9ZN5 =szTz -END PGP SIGNATURE- To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1677781/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1971272] Re: Merge cyrus-sasl2 from Debian unstable for kinetic
This became a sync, after debian accepted my DEP8 tests. https://launchpad.net/ubuntu/+source/cyrus-sasl2/2.1.28+dfsg-5 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu. https://bugs.launchpad.net/bugs/1971272 Title: Merge cyrus-sasl2 from Debian unstable for kinetic Status in cyrus-sasl2 package in Ubuntu: In Progress Bug description: Upstream: tbd Debian: 2.1.28+dfsg-4 Ubuntu: 2.1.27+dfsg2-3ubuntu1 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. ### New Debian Changes ### cyrus-sasl2 (2.1.28+dfsg-4) unstable; urgency=medium * d/copyright: java/* files were removed upstream * d/copyright: Reformat the default license's margin * d/copyright: Add project's license to include/makemd5.c * Move SCRAM to libsasl2-modules (Closes: #977360) * Install additional GS2 module for Heimdal * Remove Roberto from the Uploaders * Drop 0005-Fixes-in-library-mutexes.patch * Drop 0021-Fix-keytab-option-for-MIT-Kerberos.patch * Remove former logcheck conffile (Closes: #1009851) * lintian: Fix excessive-priority-for-library-package * lintian: Fix package-contains-empty-directory -- Bastian Germann Wed, 20 Apr 2022 01:01:01 +0200 cyrus-sasl2 (2.1.28+dfsg-3) unstable; urgency=high * Set MIT/Heimdal CFLAGS instead of CPPFLAGS * Drop unnecessary 0027-properly-create-libsasl2.pc.patch * Prevent installing outdated ChangeLog (Closes: #1009681) * Remove debug log message and its logcheck rule (Closes: #805310) * Self-reference pluginviewer man as saslpluginviewer (Closes: #1009380) * Get rid of broken README.configure-options * Add sasldbconverter2.8 manpage * d/copyright: Add missing KTH license * Install libsasl.5 manpage [ Debian Janitor ] * Remove constraints unnecessary since buster -- Bastian Germann Fri, 15 Apr 2022 12:02:13 +0200 cyrus-sasl2 (2.1.28+dfsg-2) unstable; urgency=medium * Remove cruft -- Bastian Germann Fri, 25 Feb 2022 18:58:54 +0100 cyrus-sasl2 (2.1.28+dfsg-1) experimental; urgency=medium * Drop upstream patches * Import new release signing key * Reset repacksuffix * New upstream version 2.1.28+dfsg (CVE-2022-24407) * Rebase 0027-properly-create-libsasl2.pc.patch -- Bastian Germann Tue, 22 Feb 2022 23:40:47 +0100 cyrus-sasl2 (2.1.27+dfsg2-3) unstable; urgency=medium [ Andreas Hasenack ] * Fix configure.ac for autoconf 2.70 (Closes: #1003355, #1000152) -- Bastian Germann Tue, 11 Jan 2022 11:25:37 +0100 cyrus-sasl2 (2.1.27+dfsg2-2) unstable; urgency=medium [ Helmut Grohne ] * Fix FTCBFS: (Closes: #928512) + cross.patch: Support caching SPNEGO support test. + Provide SPNEGO support test result. [ Vagrant Cascadian ] * Set date in man pages (Closes: #995145) -- Bastian Germann Wed, 17 Nov 2021 01:23:49 +0100 cyrus-sasl2 (2.1.27+dfsg2-1) unstable; urgency=medium * Add bage to uploaders (Closes: #799864) * Use upstream patches where possible * Amend off-by-one in _sasl_add_string function * Replace some patches by upstream equivalents * Apply the patches in order of to their prefixes * Add missing caret (^) in logcheck rule (Closes: #830764) * Remove unnecessary GPL copy * Add missing copyright/licenses * Repack, getting rid of more problematic files * Build html documentation * Make the package rebuildable * Remove outdated README.Debian info * Disable autostart via debhelper * Drop unnecessary patch * Remove alternative, old build dep libmysqlclient-dev Annotate documentation Build-Depends with :native [ Frédéric Brière ] * Make logcheck snippet compatible with systemd journal -- Bastian Germann Sun, 14 Nov 2021 14:11:18 +0100 cyrus-sasl2 (2.1.27+dfsg-2.3) unstable; urgency=medium * Non-maintainer upload. * d/watch: Check the github releases page * Get rid of a patch's patch * Recover upstream-compatible patch license (Closes: #996866) + Relicense libobj patch * Fix lintian: unused-override ### Old Ubuntu Delta ### cyrus-sasl2 (2.1.27+dfsg2-3ubuntu1) jammy; urgency=medium * SECURITY UPDATE: SQL injection in SQL plugin - debian/patches/CVE-2022-24407.patch: escape password for SQL insert/update commands in plugins/sql.c. - CVE-2022-24407 -- Marc Deslauriers Tue, 22 Feb 2022 14:17:18 -0500 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1971272/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net
[Touch-packages] [Bug 827151] Re: Annoying log message "DIGEST-MD5 common mech free"
** Changed in: cyrus-sasl2 (Ubuntu Jammy) Status: Triaged => In Progress ** Changed in: cyrus-sasl2 (Ubuntu Jammy) Assignee: (unassigned) => Andreas Hasenack (ahasenack) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu. https://bugs.launchpad.net/bugs/827151 Title: Annoying log message "DIGEST-MD5 common mech free" Status in Cyrus-sasl2: Fix Released Status in cyrus-sasl2 package in Ubuntu: Triaged Status in cyrus-sasl2 source package in Trusty: Won't Fix Status in cyrus-sasl2 source package in Xenial: Incomplete Status in cyrus-sasl2 source package in Yakkety: Fix Released Status in cyrus-sasl2 source package in Focal: Triaged Status in cyrus-sasl2 source package in Impish: Triaged Status in cyrus-sasl2 source package in Jammy: In Progress Status in cyrus-sasl2 package in Debian: Fix Released Bug description: I recently updated the libsasl2-modules to 2.1.24~rc1.dfsg1+cvs2011-05-23-4ubuntu1 in oneiric. That triggered the bug also described in Debian here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=631932 The annoying message is logged in auth.log. In my case, it is associated with svnserve: svnserve: DIGEST-MD5 common mech free I'm not exactly sure what action triggers the message, but I can investigate more if required. $ lsb_release -rd Description:Ubuntu oneiric (development branch) Release:11.10 To manage notifications about this bug go to: https://bugs.launchpad.net/cyrus-sasl2/+bug/827151/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1677781] Re: Missing dep8 tests
** Changed in: cyrus-sasl2 (Ubuntu) Status: Triaged => In Progress ** Changed in: cyrus-sasl2 (Ubuntu) Importance: Wishlist => Medium -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu. https://bugs.launchpad.net/bugs/1677781 Title: Missing dep8 tests Status in cyrus-sasl2 package in Ubuntu: In Progress Bug description: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 As of March 29, 2017, this source package did not contain dep8 tests in the current development release of Ubuntu, named Zesty. This was determined by running `pull-lp-source cyrus-sasl2 zesty` and then checking for the existence of 'debian/tests/' and 'debian/tests/control'. Test automation is essential to higher levels of quality and confidence in updates to packages. dep8 tests [1] specify how automatic testing can be integrated into packages and then run by package maintainers before new uploads. This defect is to report the absence of these tests and to report the opportunity as a potential item for development by both new and experienced contributors. [1] http://packaging.ubuntu.com/html/auto-pkg-test.html affects ubuntu/cyrus-sasl2 status new importance wishlist tag needs-dep8 - --- Joshua Powers Ubuntu Server Canonical Ltd -BEGIN PGP SIGNATURE- iQIcBAEBCAAGBQJY3XaTAAoJEIP8BxPaZgwlJr8P/j8yn8mXWnAIiXUgHX7jBIGj JuMQGO5wwcfHRxOwJEOlsO/SIATUN1L1BB84anP7Bp4cfLqXonF8eKFPkEotwaf1 3wADCH98EwLuSyJOaKXsTQHppAKdJ6UEW4jHvfhYizenEWssPfCQdg68LSGZ2enR wD9ZhZgjwJIpLbqDTp7ygklR0htf4ZAFq/vIcyLykT6qagVE3xC8SAgd+7tb/fYe 4PYfqgGso/qpL0v6JL+YkCKH/aiMYV+HD45o1NcUbGdoiuUa9jpeYSSTP/9OgWpY nALDXe/dJZT/wz5Zv0cy6sGRh7gtjVqI0608WAM00Jp8CmFX60z4yrq/3t37wKbz iDQF4HyltqfCNF5oQ6xva9xAq/c2tyP8nBHzQ+ZtH/o1hyS/JdgoR38OojldyUc5 WzcTFL+h612ZVZVNm4lqBpg/0dpEkwXTE9KczyB5kSr5VVz0WXtjU5wFxKMdZpr5 Gq9uM+fHU4YHQqfGGZxmHFOgz7tCAyEsZEzpnPiYvoSksj3tJMkQG7FbIISltort CBAwLIt1hLR9g4T3p0e4ipCJf6kL/yZR3kMGhsjbDe012bTaC8ZeLG7VYmWkBaxY ieFMZIxmGgCq7KjDfNPh9JEmCtNgenkEOu6BszZK+gwmhL/AxVuuNRdd5OeBGy3G WY9JzBOc6MUi46Hh9ZN5 =szTz -END PGP SIGNATURE- To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1677781/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1971272] Re: Merge cyrus-sasl2 from Debian unstable for kinetic
** Changed in: cyrus-sasl2 (Ubuntu) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu. https://bugs.launchpad.net/bugs/1971272 Title: Merge cyrus-sasl2 from Debian unstable for kinetic Status in cyrus-sasl2 package in Ubuntu: In Progress Bug description: Upstream: tbd Debian: 2.1.28+dfsg-4 Ubuntu: 2.1.27+dfsg2-3ubuntu1 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. ### New Debian Changes ### cyrus-sasl2 (2.1.28+dfsg-4) unstable; urgency=medium * d/copyright: java/* files were removed upstream * d/copyright: Reformat the default license's margin * d/copyright: Add project's license to include/makemd5.c * Move SCRAM to libsasl2-modules (Closes: #977360) * Install additional GS2 module for Heimdal * Remove Roberto from the Uploaders * Drop 0005-Fixes-in-library-mutexes.patch * Drop 0021-Fix-keytab-option-for-MIT-Kerberos.patch * Remove former logcheck conffile (Closes: #1009851) * lintian: Fix excessive-priority-for-library-package * lintian: Fix package-contains-empty-directory -- Bastian Germann Wed, 20 Apr 2022 01:01:01 +0200 cyrus-sasl2 (2.1.28+dfsg-3) unstable; urgency=high * Set MIT/Heimdal CFLAGS instead of CPPFLAGS * Drop unnecessary 0027-properly-create-libsasl2.pc.patch * Prevent installing outdated ChangeLog (Closes: #1009681) * Remove debug log message and its logcheck rule (Closes: #805310) * Self-reference pluginviewer man as saslpluginviewer (Closes: #1009380) * Get rid of broken README.configure-options * Add sasldbconverter2.8 manpage * d/copyright: Add missing KTH license * Install libsasl.5 manpage [ Debian Janitor ] * Remove constraints unnecessary since buster -- Bastian Germann Fri, 15 Apr 2022 12:02:13 +0200 cyrus-sasl2 (2.1.28+dfsg-2) unstable; urgency=medium * Remove cruft -- Bastian Germann Fri, 25 Feb 2022 18:58:54 +0100 cyrus-sasl2 (2.1.28+dfsg-1) experimental; urgency=medium * Drop upstream patches * Import new release signing key * Reset repacksuffix * New upstream version 2.1.28+dfsg (CVE-2022-24407) * Rebase 0027-properly-create-libsasl2.pc.patch -- Bastian Germann Tue, 22 Feb 2022 23:40:47 +0100 cyrus-sasl2 (2.1.27+dfsg2-3) unstable; urgency=medium [ Andreas Hasenack ] * Fix configure.ac for autoconf 2.70 (Closes: #1003355, #1000152) -- Bastian Germann Tue, 11 Jan 2022 11:25:37 +0100 cyrus-sasl2 (2.1.27+dfsg2-2) unstable; urgency=medium [ Helmut Grohne ] * Fix FTCBFS: (Closes: #928512) + cross.patch: Support caching SPNEGO support test. + Provide SPNEGO support test result. [ Vagrant Cascadian ] * Set date in man pages (Closes: #995145) -- Bastian Germann Wed, 17 Nov 2021 01:23:49 +0100 cyrus-sasl2 (2.1.27+dfsg2-1) unstable; urgency=medium * Add bage to uploaders (Closes: #799864) * Use upstream patches where possible * Amend off-by-one in _sasl_add_string function * Replace some patches by upstream equivalents * Apply the patches in order of to their prefixes * Add missing caret (^) in logcheck rule (Closes: #830764) * Remove unnecessary GPL copy * Add missing copyright/licenses * Repack, getting rid of more problematic files * Build html documentation * Make the package rebuildable * Remove outdated README.Debian info * Disable autostart via debhelper * Drop unnecessary patch * Remove alternative, old build dep libmysqlclient-dev Annotate documentation Build-Depends with :native [ Frédéric Brière ] * Make logcheck snippet compatible with systemd journal -- Bastian Germann Sun, 14 Nov 2021 14:11:18 +0100 cyrus-sasl2 (2.1.27+dfsg-2.3) unstable; urgency=medium * Non-maintainer upload. * d/watch: Check the github releases page * Get rid of a patch's patch * Recover upstream-compatible patch license (Closes: #996866) + Relicense libobj patch * Fix lintian: unused-override ### Old Ubuntu Delta ### cyrus-sasl2 (2.1.27+dfsg2-3ubuntu1) jammy; urgency=medium * SECURITY UPDATE: SQL injection in SQL plugin - debian/patches/CVE-2022-24407.patch: escape password for SQL insert/update commands in plugins/sql.c. - CVE-2022-24407 -- Marc Deslauriers Tue, 22 Feb 2022 14:17:18 -0500 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1971272/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1677781] Re: Missing dep8 tests
** Changed in: cyrus-sasl2 (Ubuntu) Assignee: (unassigned) => Andreas Hasenack (ahasenack) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu. https://bugs.launchpad.net/bugs/1677781 Title: Missing dep8 tests Status in cyrus-sasl2 package in Ubuntu: Triaged Bug description: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 As of March 29, 2017, this source package did not contain dep8 tests in the current development release of Ubuntu, named Zesty. This was determined by running `pull-lp-source cyrus-sasl2 zesty` and then checking for the existence of 'debian/tests/' and 'debian/tests/control'. Test automation is essential to higher levels of quality and confidence in updates to packages. dep8 tests [1] specify how automatic testing can be integrated into packages and then run by package maintainers before new uploads. This defect is to report the absence of these tests and to report the opportunity as a potential item for development by both new and experienced contributors. [1] http://packaging.ubuntu.com/html/auto-pkg-test.html affects ubuntu/cyrus-sasl2 status new importance wishlist tag needs-dep8 - --- Joshua Powers Ubuntu Server Canonical Ltd -BEGIN PGP SIGNATURE- iQIcBAEBCAAGBQJY3XaTAAoJEIP8BxPaZgwlJr8P/j8yn8mXWnAIiXUgHX7jBIGj JuMQGO5wwcfHRxOwJEOlsO/SIATUN1L1BB84anP7Bp4cfLqXonF8eKFPkEotwaf1 3wADCH98EwLuSyJOaKXsTQHppAKdJ6UEW4jHvfhYizenEWssPfCQdg68LSGZ2enR wD9ZhZgjwJIpLbqDTp7ygklR0htf4ZAFq/vIcyLykT6qagVE3xC8SAgd+7tb/fYe 4PYfqgGso/qpL0v6JL+YkCKH/aiMYV+HD45o1NcUbGdoiuUa9jpeYSSTP/9OgWpY nALDXe/dJZT/wz5Zv0cy6sGRh7gtjVqI0608WAM00Jp8CmFX60z4yrq/3t37wKbz iDQF4HyltqfCNF5oQ6xva9xAq/c2tyP8nBHzQ+ZtH/o1hyS/JdgoR38OojldyUc5 WzcTFL+h612ZVZVNm4lqBpg/0dpEkwXTE9KczyB5kSr5VVz0WXtjU5wFxKMdZpr5 Gq9uM+fHU4YHQqfGGZxmHFOgz7tCAyEsZEzpnPiYvoSksj3tJMkQG7FbIISltort CBAwLIt1hLR9g4T3p0e4ipCJf6kL/yZR3kMGhsjbDe012bTaC8ZeLG7VYmWkBaxY ieFMZIxmGgCq7KjDfNPh9JEmCtNgenkEOu6BszZK+gwmhL/AxVuuNRdd5OeBGy3G WY9JzBOc6MUi46Hh9ZN5 =szTz -END PGP SIGNATURE- To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1677781/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1971272] Re: Merge cyrus-sasl2 from Debian unstable for kinetic
** Changed in: cyrus-sasl2 (Ubuntu) Assignee: (unassigned) => Andreas Hasenack (ahasenack) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu. https://bugs.launchpad.net/bugs/1971272 Title: Merge cyrus-sasl2 from Debian unstable for kinetic Status in cyrus-sasl2 package in Ubuntu: New Bug description: Upstream: tbd Debian: 2.1.28+dfsg-4 Ubuntu: 2.1.27+dfsg2-3ubuntu1 Debian does new releases regularly, so it's likely there will be newer versions available before FF that we can pick up if this merge is done later in the cycle. ### New Debian Changes ### cyrus-sasl2 (2.1.28+dfsg-4) unstable; urgency=medium * d/copyright: java/* files were removed upstream * d/copyright: Reformat the default license's margin * d/copyright: Add project's license to include/makemd5.c * Move SCRAM to libsasl2-modules (Closes: #977360) * Install additional GS2 module for Heimdal * Remove Roberto from the Uploaders * Drop 0005-Fixes-in-library-mutexes.patch * Drop 0021-Fix-keytab-option-for-MIT-Kerberos.patch * Remove former logcheck conffile (Closes: #1009851) * lintian: Fix excessive-priority-for-library-package * lintian: Fix package-contains-empty-directory -- Bastian Germann Wed, 20 Apr 2022 01:01:01 +0200 cyrus-sasl2 (2.1.28+dfsg-3) unstable; urgency=high * Set MIT/Heimdal CFLAGS instead of CPPFLAGS * Drop unnecessary 0027-properly-create-libsasl2.pc.patch * Prevent installing outdated ChangeLog (Closes: #1009681) * Remove debug log message and its logcheck rule (Closes: #805310) * Self-reference pluginviewer man as saslpluginviewer (Closes: #1009380) * Get rid of broken README.configure-options * Add sasldbconverter2.8 manpage * d/copyright: Add missing KTH license * Install libsasl.5 manpage [ Debian Janitor ] * Remove constraints unnecessary since buster -- Bastian Germann Fri, 15 Apr 2022 12:02:13 +0200 cyrus-sasl2 (2.1.28+dfsg-2) unstable; urgency=medium * Remove cruft -- Bastian Germann Fri, 25 Feb 2022 18:58:54 +0100 cyrus-sasl2 (2.1.28+dfsg-1) experimental; urgency=medium * Drop upstream patches * Import new release signing key * Reset repacksuffix * New upstream version 2.1.28+dfsg (CVE-2022-24407) * Rebase 0027-properly-create-libsasl2.pc.patch -- Bastian Germann Tue, 22 Feb 2022 23:40:47 +0100 cyrus-sasl2 (2.1.27+dfsg2-3) unstable; urgency=medium [ Andreas Hasenack ] * Fix configure.ac for autoconf 2.70 (Closes: #1003355, #1000152) -- Bastian Germann Tue, 11 Jan 2022 11:25:37 +0100 cyrus-sasl2 (2.1.27+dfsg2-2) unstable; urgency=medium [ Helmut Grohne ] * Fix FTCBFS: (Closes: #928512) + cross.patch: Support caching SPNEGO support test. + Provide SPNEGO support test result. [ Vagrant Cascadian ] * Set date in man pages (Closes: #995145) -- Bastian Germann Wed, 17 Nov 2021 01:23:49 +0100 cyrus-sasl2 (2.1.27+dfsg2-1) unstable; urgency=medium * Add bage to uploaders (Closes: #799864) * Use upstream patches where possible * Amend off-by-one in _sasl_add_string function * Replace some patches by upstream equivalents * Apply the patches in order of to their prefixes * Add missing caret (^) in logcheck rule (Closes: #830764) * Remove unnecessary GPL copy * Add missing copyright/licenses * Repack, getting rid of more problematic files * Build html documentation * Make the package rebuildable * Remove outdated README.Debian info * Disable autostart via debhelper * Drop unnecessary patch * Remove alternative, old build dep libmysqlclient-dev Annotate documentation Build-Depends with :native [ Frédéric Brière ] * Make logcheck snippet compatible with systemd journal -- Bastian Germann Sun, 14 Nov 2021 14:11:18 +0100 cyrus-sasl2 (2.1.27+dfsg-2.3) unstable; urgency=medium * Non-maintainer upload. * d/watch: Check the github releases page * Get rid of a patch's patch * Recover upstream-compatible patch license (Closes: #996866) + Relicense libobj patch * Fix lintian: unused-override ### Old Ubuntu Delta ### cyrus-sasl2 (2.1.27+dfsg2-3ubuntu1) jammy; urgency=medium * SECURITY UPDATE: SQL injection in SQL plugin - debian/patches/CVE-2022-24407.patch: escape password for SQL insert/update commands in plugins/sql.c. - CVE-2022-24407 -- Marc Deslauriers Tue, 22 Feb 2022 14:17:18 -0500 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1971272/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1953065] Re: 2.13.0 FTBFS
** Merge proposal unlinked: https://code.launchpad.net/~ahasenack/ubuntu/+source/ust/+git/ust/+merge/421513 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ust in Ubuntu. https://bugs.launchpad.net/bugs/1953065 Title: 2.13.0 FTBFS Status in LTTng-UST: Unknown Status in ust package in Ubuntu: Fix Released Bug description: I tried to merge ust from debian into ubuntu, to fix a build-time dependency, but stumbled on an FTBFS with that version. I filed upstream bug at https://bugs.lttng.org/issues/1337 It basically happens in some new test cases that were added in 2.13.0 and crash when we build it using our default -Wl,-Bsymbolic-flags linker option, which we have been using for years in Ubuntu. Here is the testsuite log output: lttng-ust 2.14.0-pre: tests/test-suite.log # TOTAL: 246 # PASS: 241 # SKIP: 0 # XFAIL: 0 # FAIL: 4 # XPASS: 0 # ERROR: 1 .. contents:: :depth: 2 ERROR: regression/abi0-conflict/test_abi0_conflict == 1..22 # LD_PRELOAD # regression/abi0-conflict/test_abi0_conflict: LD_PRELOAD ok 1 - LD_PRELOAD: no-ust app works PASS: regression/abi0-conflict/test_abi0_conflict 1 - LD_PRELOAD: no-ust app works ok 2 - LD_PRELOAD: no-ust app with abi0 preload succeeds PASS: regression/abi0-conflict/test_abi0_conflict 2 - LD_PRELOAD: no-ust app with abi0 preload succeeds ./regression/abi0-conflict/test_abi0_conflict: line 56: 592651 Aborted (core dumped) LD_PRELOAD="${LIBFAKEUST0}:${LIBUST1}" "${CURDIR}/app_noust" > "$STD_OUTPUT" 2> "$STD_ERROR" ok 3 - LD_PRELOAD: no-ust app with abi0 and abi1 preload fails PASS: regression/abi0-conflict/test_abi0_conflict 3 - LD_PRELOAD: no-ust app with abi0 and abi1 preload fails ./regression/abi0-conflict/test_abi0_conflict: line 59: 592652 Aborted (core dumped) LD_PRELOAD="${LIBUST1}:${LIBFAKEUST0}" "${CURDIR}/app_noust" > "$STD_OUTPUT" 2> "$STD_ERROR" ok 4 - LD_PRELOAD: no-ust app with abi1 and abi0 preload fails PASS: regression/abi0-conflict/test_abi0_conflict 4 - LD_PRELOAD: no-ust app with abi1 and abi0 preload fails ok 5 - LD_PRELOAD: ust app works PASS: regression/abi0-conflict/test_abi0_conflict 5 - LD_PRELOAD: ust app works ./regression/abi0-conflict/test_abi0_conflict: line 68: 592669 Aborted (core dumped) LD_PRELOAD="${LIBFAKEUST0}" "${CURDIR}/app_ust" > "$STD_OUTPUT" 2> "$STD_ERROR" ok 6 - LD_PRELOAD: ust app with abi0 preload fails PASS: regression/abi0-conflict/test_abi0_conflict 6 - LD_PRELOAD: ust app with abi0 preload fails ./regression/abi0-conflict/test_abi0_conflict: line 71: 592683 Aborted (core dumped) LD_PRELOAD="${LIBFAKEUST0}:${LIBUST1}" "${CURDIR}/app_ust" > "$STD_OUTPUT" 2> "$STD_ERROR" ok 7 - LD_PRELOAD: ust app with abi0 and abi1 preload fails PASS: regression/abi0-conflict/test_abi0_conflict 7 - LD_PRELOAD: ust app with abi0 and abi1 preload fails ./regression/abi0-conflict/test_abi0_conflict: line 74: 592684 Aborted (core dumped) LD_PRELOAD="${LIBUST1}:${LIBFAKEUST0}" "${CURDIR}/app_ust" > "$STD_OUTPUT" 2> "$STD_ERROR" ok 8 - LD_PRELOAD: ust app with abi1 and abi0 preload fails PASS: regression/abi0-conflict/test_abi0_conflict 8 - LD_PRELOAD: ust app with abi1 and abi0 preload fails # dlopen # regression/abi0-conflict/test_abi0_conflict: dlopen ok 9 - dlopen: no-ust app works PASS: regression/abi0-conflict/test_abi0_conflict 9 - dlopen: no-ust app works ok 10 - dlopen: no-ust app with abi1 and abi1 succeeds PASS: regression/abi0-conflict/test_abi0_conflict 10 - dlopen: no-ust app with abi1 and abi1 succeeds ./regression/abi0-conflict/test_abi0_conflict: line 92: 592689 Aborted (core dumped) LD_LIBRARY_PATH="$LIBFAKEUST0_PATH:$LIBUST1_PATH" "${CURDIR}/app_noust_dlopen" abi0_abi1 > "$STD_OUTPUT" 2> "$STD_ERROR" ok 11 - dlopen: no-ust app with abi0 and abi1 fails PASS: regression/abi0-conflict/test_abi0_conflict 11 - dlopen: no-ust app with abi0 and abi1 fails not ok 12 - dlopen: no-ust app with abi1 and abi0 fails FAIL: regression/abi0-conflict/test_abi0_conflict 12 - dlopen: no-ust app with abi1 and abi0 fails # Failed test 'dlopen: no-ust app with abi1 and abi0 fails' # regression/abi0-conflict/test_abi0_conflict: Failed test 'dlopen: no-ust app with abi1 and abi0 fails' # in /home/ubuntu/git/packages/ust/lttng-ust/tests/utils/tap.sh:isnt() at line 300. # regression/abi0-conflict/test_abi0_conflict: in /home/ubuntu/git/packages/ust/lttng-ust/tests/utils/tap.sh:isnt() at line 300. # got: '0' # regression/abi0-conflict/test_abi0_conflict: got: '0' # expected: '0' # regression/abi0-conflict/test_abi0_conflict: expected: '0' ok 13 - dlopen:
[Touch-packages] [Bug 1970979] Re: compiler flags leaking through krb5-config --libs
Post in the upstream mailing list, let's see if this spawns a discussion: https://mailman.mit.edu/pipermail/krbdev/2022-April/013543.html -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1970979 Title: compiler flags leaking through krb5-config --libs Status in krb5 package in Ubuntu: New Bug description: krb5-config --libs is leaking some compiler specific flags that we define in Ubuntu: $ krb5-config --libs -L/usr/lib/x86_64-linux-gnu/mit-krb5 -Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -lkrb5 -lk5crypto -lcom_err That ones that concern me more specifically are: - -Wl,-Bsymbolic-functions - -lto related ones I'm unsure if -Wl,-z,relro should be there either. It looks like LDFLAGS got mixed with LIBS. pkg-config's output is different and only contains the libraries and library path: $ pkg-config --libs krb5 -L/usr/lib/x86_64-linux-gnu/mit-krb5 -lkrb5 -lk5crypto -lcom_err To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1970979/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1970979] [NEW] compiler flags leaking through krb5-config --libs
Public bug reported: krb5-config --libs is leaking some compiler specific flags that we define in Ubuntu: $ krb5-config --libs -L/usr/lib/x86_64-linux-gnu/mit-krb5 -Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -lkrb5 -lk5crypto -lcom_err That ones that concern me more specifically are: - -Wl,-Bsymbolic-functions - -lto related ones I'm unsure if -Wl,-z,relro should be there either. It looks like LDFLAGS got mixed with LIBS. pkg-config's output is different and only contains the libraries and library path: $ pkg-config --libs krb5 -L/usr/lib/x86_64-linux-gnu/mit-krb5 -lkrb5 -lk5crypto -lcom_err ** Affects: krb5 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1970979 Title: compiler flags leaking through krb5-config --libs Status in krb5 package in Ubuntu: New Bug description: krb5-config --libs is leaking some compiler specific flags that we define in Ubuntu: $ krb5-config --libs -L/usr/lib/x86_64-linux-gnu/mit-krb5 -Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -flto=auto -Wl,-z,relro -lkrb5 -lk5crypto -lcom_err That ones that concern me more specifically are: - -Wl,-Bsymbolic-functions - -lto related ones I'm unsure if -Wl,-z,relro should be there either. It looks like LDFLAGS got mixed with LIBS. pkg-config's output is different and only contains the libraries and library path: $ pkg-config --libs krb5 -L/usr/lib/x86_64-linux-gnu/mit-krb5 -lkrb5 -lk5crypto -lcom_err To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1970979/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1970634] Re: FTBFS: mariadb fails to start due to low MEMLOCK limit
> Could it be -flto/-ffat-lto-objects related (like > https://jira.mariadb.org/browse/MDEV-25633)? > The top part of the stack trace looks the same. Nice catch. Indeed, disabling lto fixes the build and startup in low memlock conditions. I'm still concerned with lto creeping in via krb5-config[1], but that's another issue. 1. https://lists.ubuntu.com/archives/ubuntu-devel/2022-April/042013.html -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1970634 Title: FTBFS: mariadb fails to start due to low MEMLOCK limit Status in mariadb-10.6 package in Ubuntu: In Progress Status in systemd package in Ubuntu: Confirmed Bug description: ahasenack: IIRC, originally Launchpad was FTBFSing on mariadb that included io_uring support because upstream were doing a build time test for io_uring (and I think still are), which is wrong because it should be done at runtime since the lack of io_uring availablity at build time doesn't tell us about its availablity at runtime. But then the Launchpad builders got updated to a newer release and therefore a newer kernel that supported it. AIUI, that's how we ended up with a successful build in the Jammy release pocket (of 10.6). I think the lp builders are using the focal hwe kernel 5.4.0-something let me check that build log But then something changed that caused this current FTBFS, and I haven't tracked down what that is. hm, both are 10.6.7 release and proposed What puzzles me is that if the root cause is a memlock rlimit issue then why did it work before? So since there's a contradiction somewhere, maybe one or more of my "facts" above is wrong. this is the current failure 2022-04-14 8:11:49 0 [Warning] mariadbd: io_uring_queue_init() failed with ENOMEM: try larger memory locked limit, ulimit -l, or https://mariadb.com/kb/en/systemd/#configuring-limitmemlock under systemd (262144 bytes required) and ulimit -l confirms that the limit is lower Max locked memory 6553665536 bytes just 64kbytes Yeah but then how did the release pocket build work? either the limit was different back then or ... stuff To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mariadb-10.6/+bug/1970634/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1970634] Re: FTBFS: mariadb fails to start due to low MEMLOCK limit
Since mariadb on the current jammy kernel disables io_uring at startup, I'm considering disabling io_uring entirely in the jammy mariadb build. The only scenario where io_uring would be used by the jammy mariadb is if the user ran a different kernel than the one shipped with jammy. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1970634 Title: FTBFS: mariadb fails to start due to low MEMLOCK limit Status in mariadb-10.6 package in Ubuntu: In Progress Status in systemd package in Ubuntu: New Bug description: ahasenack: IIRC, originally Launchpad was FTBFSing on mariadb that included io_uring support because upstream were doing a build time test for io_uring (and I think still are), which is wrong because it should be done at runtime since the lack of io_uring availablity at build time doesn't tell us about its availablity at runtime. But then the Launchpad builders got updated to a newer release and therefore a newer kernel that supported it. AIUI, that's how we ended up with a successful build in the Jammy release pocket (of 10.6). I think the lp builders are using the focal hwe kernel 5.4.0-something let me check that build log But then something changed that caused this current FTBFS, and I haven't tracked down what that is. hm, both are 10.6.7 release and proposed What puzzles me is that if the root cause is a memlock rlimit issue then why did it work before? So since there's a contradiction somewhere, maybe one or more of my "facts" above is wrong. this is the current failure 2022-04-14 8:11:49 0 [Warning] mariadbd: io_uring_queue_init() failed with ENOMEM: try larger memory locked limit, ulimit -l, or https://mariadb.com/kb/en/systemd/#configuring-limitmemlock under systemd (262144 bytes required) and ulimit -l confirms that the limit is lower Max locked memory 6553665536 bytes just 64kbytes Yeah but then how did the release pocket build work? either the limit was different back then or ... stuff To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mariadb-10.6/+bug/1970634/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1970634] Re: FTBFS: test failure due to low memlock limit
I added a task for systemd to consider raising the default RLIMIT_MEMLOCK limit. This upstream commit raises the default limit to 8Mb: https://github.com/systemd/systemd/commit/852b62507b2 The way things are now, the following scenario does NOT work out of the box: - jammy lxd on focal host - apt install mariadb-server mariadb will crash and core dump because of the low MEMLOCK limit. Its systemd service file even has this line to raise the limit: LimitMEMLOCK=524288 But that does not have any effect from inside the unprivileged lxd container. Jammy lxd on jammy host will work just because the jammy kernel (5.15.0) is deemed unsafe[1] for uring by mariadb, and then uring is disabled during startup. 1. https://github.com/MariaDB/server/blob/10.6/storage/innobase/handler/ha_innodb.cc#L19480 ** Summary changed: - FTBFS: test failure due to low memlock limit + FTBFS: mariadb fails to start due to low MEMLOCK limit -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1970634 Title: FTBFS: mariadb fails to start due to low MEMLOCK limit Status in mariadb-10.6 package in Ubuntu: In Progress Status in systemd package in Ubuntu: New Bug description: ahasenack: IIRC, originally Launchpad was FTBFSing on mariadb that included io_uring support because upstream were doing a build time test for io_uring (and I think still are), which is wrong because it should be done at runtime since the lack of io_uring availablity at build time doesn't tell us about its availablity at runtime. But then the Launchpad builders got updated to a newer release and therefore a newer kernel that supported it. AIUI, that's how we ended up with a successful build in the Jammy release pocket (of 10.6). I think the lp builders are using the focal hwe kernel 5.4.0-something let me check that build log But then something changed that caused this current FTBFS, and I haven't tracked down what that is. hm, both are 10.6.7 release and proposed What puzzles me is that if the root cause is a memlock rlimit issue then why did it work before? So since there's a contradiction somewhere, maybe one or more of my "facts" above is wrong. this is the current failure 2022-04-14 8:11:49 0 [Warning] mariadbd: io_uring_queue_init() failed with ENOMEM: try larger memory locked limit, ulimit -l, or https://mariadb.com/kb/en/systemd/#configuring-limitmemlock under systemd (262144 bytes required) and ulimit -l confirms that the limit is lower Max locked memory 6553665536 bytes just 64kbytes Yeah but then how did the release pocket build work? either the limit was different back then or ... stuff To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mariadb-10.6/+bug/1970634/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1970634] Re: FTBFS: test failure due to low memlock limit
** Also affects: systemd (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1970634 Title: FTBFS: test failure due to low memlock limit Status in mariadb-10.6 package in Ubuntu: In Progress Status in systemd package in Ubuntu: New Bug description: ahasenack: IIRC, originally Launchpad was FTBFSing on mariadb that included io_uring support because upstream were doing a build time test for io_uring (and I think still are), which is wrong because it should be done at runtime since the lack of io_uring availablity at build time doesn't tell us about its availablity at runtime. But then the Launchpad builders got updated to a newer release and therefore a newer kernel that supported it. AIUI, that's how we ended up with a successful build in the Jammy release pocket (of 10.6). I think the lp builders are using the focal hwe kernel 5.4.0-something let me check that build log But then something changed that caused this current FTBFS, and I haven't tracked down what that is. hm, both are 10.6.7 release and proposed What puzzles me is that if the root cause is a memlock rlimit issue then why did it work before? So since there's a contradiction somewhere, maybe one or more of my "facts" above is wrong. this is the current failure 2022-04-14 8:11:49 0 [Warning] mariadbd: io_uring_queue_init() failed with ENOMEM: try larger memory locked limit, ulimit -l, or https://mariadb.com/kb/en/systemd/#configuring-limitmemlock under systemd (262144 bytes required) and ulimit -l confirms that the limit is lower Max locked memory 6553665536 bytes just 64kbytes Yeah but then how did the release pocket build work? either the limit was different back then or ... stuff To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mariadb-10.6/+bug/1970634/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1969676] [NEW] Stash file /etc/krb5kdc/stash uses DEPRECATED enctype des3-cbc-sha1
Public bug reported: When provisioning a new realm, this warning is logged in /var/log/syslog: ==> /var/log/syslog <== Apr 20 20:43:16 kdc systemd[1]: Starting Kerberos 5 Key Distribution Center... Apr 20 20:43:16 kdc krb5kdc[3136]: Stash file /etc/krb5kdc/stash uses DEPRECATED enctype des3-cbc-sha1! This comes from "master_key_type" in the default kdc.conf shipped in krb5-kdc: $ cat /usr/share/krb5-kdc/kdc.conf.template [kdcdefaults] kdc_ports = 750,88 [realms] @MYREALM = { database_name = /var/lib/krb5kdc/principal admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab acl_file = /etc/krb5kdc/kadm5.acl key_stash_file = /etc/krb5kdc/stash kdc_ports = 750,88 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = des3-hmac-sha1 #supported_enctypes = aes256-cts:normal aes128-cts:normal default_principal_flags = +preauth } The kdc.conf manpage says that the current default is "aes256-cts-hmac-sha1-96". The sample kdc.conf in the documentation at https://web.mit.edu/kerberos/krb5-latest/doc/admin/install_kdc.html#kdc-conf suggests just "master_key_type = aes256-cts". Changing encryption defaults should be done carefully, even when suggested by upstream. I filed bugs.debian.org/1009927 in debian as well. ** Affects: krb5 (Ubuntu) Importance: Medium Status: Triaged ** Affects: krb5 (Debian) Importance: Unknown Status: Unknown ** Changed in: krb5 (Ubuntu) Status: New => Triaged ** Changed in: krb5 (Ubuntu) Importance: Undecided => Medium ** Bug watch added: Debian Bug tracker #1009927 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009927 ** Also affects: krb5 (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009927 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1969676 Title: Stash file /etc/krb5kdc/stash uses DEPRECATED enctype des3-cbc-sha1 Status in krb5 package in Ubuntu: Triaged Status in krb5 package in Debian: Unknown Bug description: When provisioning a new realm, this warning is logged in /var/log/syslog: ==> /var/log/syslog <== Apr 20 20:43:16 kdc systemd[1]: Starting Kerberos 5 Key Distribution Center... Apr 20 20:43:16 kdc krb5kdc[3136]: Stash file /etc/krb5kdc/stash uses DEPRECATED enctype des3-cbc-sha1! This comes from "master_key_type" in the default kdc.conf shipped in krb5-kdc: $ cat /usr/share/krb5-kdc/kdc.conf.template [kdcdefaults] kdc_ports = 750,88 [realms] @MYREALM = { database_name = /var/lib/krb5kdc/principal admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab acl_file = /etc/krb5kdc/kadm5.acl key_stash_file = /etc/krb5kdc/stash kdc_ports = 750,88 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = des3-hmac-sha1 #supported_enctypes = aes256-cts:normal aes128-cts:normal default_principal_flags = +preauth } The kdc.conf manpage says that the current default is "aes256-cts-hmac-sha1-96". The sample kdc.conf in the documentation at https://web.mit.edu/kerberos/krb5-latest/doc/admin/install_kdc.html#kdc-conf suggests just "master_key_type = aes256-cts". Changing encryption defaults should be done carefully, even when suggested by upstream. I filed bugs.debian.org/1009927 in debian as well. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1969676/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1774788] Re: Daemon won't start at boot up (18LTS fully patched)
This is a class[1] of bugs for which we cannot come up with a general solution that will safely and sanely apply to all scenarios. For such cases, local configuration changes should be made to accommodate the intended behavior in each case. We believe that, in this particular case, since the configuration was explicitly changed to use a specific IP, you should continue with the changes and adjust the systemd unit file for rsync to cope with that. Be it adjust the target to be network-online, or something else that explicitly waits for that very interface to come up. systemd offers mechanisms for such overrides, and it's described in more detail in comment #2. Regarding the "systemctl start rsync" exit status, it's the way it work with Type=simple systemd services. From the systemd.service manpage: """ If set to simple (the default if ExecStart= is specified but neither Type= nor BusName= are) the service manager will consider the unit started immediately after the main service process has been forked off. (...) Note that this means systemctl start command lines for simple services will report success even if the service's binary cannot be invoked successfully """ I tried Type=exec, but it still behaved in the same way (as the error happens after rsync starts up, i.e., the binary was executed). With Type=forking I got a bit further, but the timeout needs tuning: root@j1-rsyncd:~# time systemctl start rsync Job for rsync.service failed because a timeout was exceeded. See "systemctl status rsync.service" and "journalctl -xeu rsync.service" for details. real1m30.246s With TimeoutStartSec=5 in the unit file it's better: root@j1-rsyncd:~# time systemctl start rsync Job for rsync.service failed because a timeout was exceeded. See "systemctl status rsync.service" and "journalctl -xeu rsync.service" for details. real0m5.287s I think the most reliably way would be Type=notify, but that requires rsync code changes to support systemd's notify mechanism. In summary, for the specific case of this bug, we believe that systemd overrides are the best answer for now. To detect startup errors immediately, I'm willing to file a separate bug. 1. https://bugs.launchpad.net/ubuntu/+bugs?field.tag=network-online-ordering ** Changed in: rsync (Ubuntu) Status: Triaged => Won't Fix -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to rsync in Ubuntu. https://bugs.launchpad.net/bugs/1774788 Title: Daemon won't start at boot up (18LTS fully patched) Status in rsync: Unknown Status in rsync package in Ubuntu: Won't Fix Bug description: By adding the 'address=' option to the /etc/rsyncd.conf file, the daemon fails at boot. Once the NIC(s) is/are up, it will start fine when executed via systemctl start rsync ● rsync.service - fast remote file copy program daemon Loaded: loaded (/lib/systemd/system/rsync.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Sat 2018-06-02 08:01:31 CST; 52min ago Process: 851 ExecStart=/usr/bin/rsync --daemon --no-detach (code=exited, status=10) Main PID: 851 (code=exited, status=10) Jun 02 08:01:31 billlaptop.private.ycc systemd[1]: Started fast remote file copy program daemon. Jun 02 08:01:31 billlaptop.private.ycc rsyncd[851]: rsyncd version 3.1.2 starting, listening on port 873 Jun 02 08:01:31 billlaptop.private.ycc rsyncd[851]: bind() failed: Cannot assign requested address (address-family 2) Jun 02 08:01:31 billlaptop.private.ycc systemd[1]: rsync.service: Main process exited, code=exited, status=10/n/a Jun 02 08:01:31 billlaptop.private.ycc rsyncd[851]: unable to bind any inbound sockets on port 873 Jun 02 08:01:31 billlaptop.private.ycc systemd[1]: rsync.service: Failed with result 'exit-code'. Jun 02 08:01:31 billlaptop.private.ycc rsyncd[851]: rsync error: error in socket IO (code 10) at socket.c(555) [Receiver=3.1.2] ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: rsync 3.1.2-2.1ubuntu1 ProcVersionSignature: Ubuntu 4.15.0-22.24-generic 4.15.17 Uname: Linux 4.15.0-22-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.1 Architecture: amd64 CurrentDesktop: GNOME Date: Sat Jun 2 08:48:15 2018 InstallationDate: Installed on 2018-06-01 (0 days ago) InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426) SourcePackage: rsync UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/rsync/+bug/1774788/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1961981] [NEW] Current delta applied twice, not needed
Public bug reported: audit has this ubuntu delta: * Merge with Debian unstable. Remaining changes: - debian/rules: Disable auditd network listener, with --disable-listener, to reduce the risk of a remote attack on auditd, which runs as root Turns out this was adopted in debian since 1:2.8.5-1: * debian/rules: On Ubuntu and derivatives, disable auditd network listener with --disable-listener Debian's change is: # Merge the last remaining Ubuntu specific change in Debian: # Disable auditd network listener to reduce the risk of a remote attack on # auditd, which runs as root ifeq ($(shell dpkg-vendor --derives-from Ubuntu && echo yes), yes) CONFIGURE_FLAGS += --disable-listener endif and ours is to add --disable-listener explicitly. d/rules ends up being: dh_auto_configure -- \ --sbindir=/sbin \ --libdir=/lib/${DEB_HOST_MULTIARCH} \ --enable-shared=audit \ --enable-gssapi-krb5 \ --disable-listener \ --with-apparmor \ --with-libwrap \ --with-libcap-ng \ $(CONFIGURE_FLAGS) \ --with-arm --with-aarch64 ${EXTRA_ARCH_TABLE} CONFIGURE_FLAGS gets --disable-listener on ubuntu, and we add it again. The delta can be dropped. Then it's just a matter of checking the other debian changes and, if deemed appropriate, sync the package. ** Affects: audit (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to audit in Ubuntu. https://bugs.launchpad.net/bugs/1961981 Title: Current delta applied twice, not needed Status in audit package in Ubuntu: New Bug description: audit has this ubuntu delta: * Merge with Debian unstable. Remaining changes: - debian/rules: Disable auditd network listener, with --disable-listener, to reduce the risk of a remote attack on auditd, which runs as root Turns out this was adopted in debian since 1:2.8.5-1: * debian/rules: On Ubuntu and derivatives, disable auditd network listener with --disable-listener Debian's change is: # Merge the last remaining Ubuntu specific change in Debian: # Disable auditd network listener to reduce the risk of a remote attack on # auditd, which runs as root ifeq ($(shell dpkg-vendor --derives-from Ubuntu && echo yes), yes) CONFIGURE_FLAGS += --disable-listener endif and ours is to add --disable-listener explicitly. d/rules ends up being: dh_auto_configure -- \ --sbindir=/sbin \ --libdir=/lib/${DEB_HOST_MULTIARCH} \ --enable-shared=audit \ --enable-gssapi-krb5 \ --disable-listener \ --with-apparmor \ --with-libwrap \ --with-libcap-ng \ $(CONFIGURE_FLAGS) \ --with-arm --with-aarch64 ${EXTRA_ARCH_TABLE} CONFIGURE_FLAGS gets --disable-listener on ubuntu, and we add it again. The delta can be dropped. Then it's just a matter of checking the other debian changes and, if deemed appropriate, sync the package. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/audit/+bug/1961981/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1959054] Re: debhelper restarts services marked --no-restart-on-upgrade
It worked ii debconf1.5.79ubuntu1 all Debian configuration management system root@j-slapd-reconfigure:~# pidof slapd 105004 root@j-slapd-reconfigure:~# dpkg-reconfigure -fnoninteractive -pcritical slapd Backing up /etc/ldap/slapd.d in /var/backups/slapd-2.5.11+dfsg-1~exp1ubuntu3... done. Moving old database directory to /var/backups: - directory unknown... done. Creating initial configuration... done. Creating LDAP directory... done. root@j-slapd-reconfigure:~# pidof slapd 105415 root@j-slapd-reconfigure:~# -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to debconf in Ubuntu. https://bugs.launchpad.net/bugs/1959054 Title: debhelper restarts services marked --no-restart-on-upgrade Status in debconf package in Ubuntu: New Status in debhelper package in Ubuntu: Fix Released Status in docker.io package in Ubuntu: Fix Released Status in libvirt package in Ubuntu: Fix Committed Status in debconf source package in Jammy: New Status in debhelper source package in Jammy: Fix Released Status in docker.io source package in Jammy: Fix Released Status in libvirt source package in Jammy: Fix Committed Status in debconf package in Debian: New Status in debhelper package in Debian: New Bug description: Debian bug #994204 (https://bugs.debian.org/cgi- bin/bugreport.cgi?bug=994204) describes a flaw in debhelper that results in the postinst being generated in such a fashion that services marked --no-stop-on-upgrade (or its deprecated alias --no- restart-on-upgrade), restart anyway. Please note: this is nothing to do with the --no-restart-after-upgrade flag (which is, somewhat confusingly IMO, unrelated). I've confirmed that the flaw appears to be present in the jammy version of debhelper (though not impish) and that packages generated with it appear to contain the flawed postinst (I first encountered this whilst working on the open-iscsi merge), though I haven't yet managed to test that the flaw exhibits itself on upgrade (though I'd say from the presence of the flaw in the postinst, that it's a reasonable inference that it will). In dbus (the merge of which I'm currently working on), Debian has worked around this but given I've now run into two affected packages (open-iscsi and dbus), only one of which has a work-around, I'd much rather we got debhelper fixed up and rebuilt affected packages? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/debconf/+bug/1959054/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1959054] Re: debhelper restarts services marked --no-restart-on-upgrade
Gladly! -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to debconf in Ubuntu. https://bugs.launchpad.net/bugs/1959054 Title: debhelper restarts services marked --no-restart-on-upgrade Status in debconf package in Ubuntu: New Status in debhelper package in Ubuntu: Fix Released Status in docker.io package in Ubuntu: Fix Released Status in libvirt package in Ubuntu: Fix Committed Status in debconf source package in Jammy: New Status in debhelper source package in Jammy: Fix Released Status in docker.io source package in Jammy: Fix Released Status in libvirt source package in Jammy: Fix Committed Status in debconf package in Debian: New Status in debhelper package in Debian: New Bug description: Debian bug #994204 (https://bugs.debian.org/cgi- bin/bugreport.cgi?bug=994204) describes a flaw in debhelper that results in the postinst being generated in such a fashion that services marked --no-stop-on-upgrade (or its deprecated alias --no- restart-on-upgrade), restart anyway. Please note: this is nothing to do with the --no-restart-after-upgrade flag (which is, somewhat confusingly IMO, unrelated). I've confirmed that the flaw appears to be present in the jammy version of debhelper (though not impish) and that packages generated with it appear to contain the flawed postinst (I first encountered this whilst working on the open-iscsi merge), though I haven't yet managed to test that the flaw exhibits itself on upgrade (though I'd say from the presence of the flaw in the postinst, that it's a reasonable inference that it will). In dbus (the merge of which I'm currently working on), Debian has worked around this but given I've now run into two affected packages (open-iscsi and dbus), only one of which has a work-around, I'd much rather we got debhelper fixed up and rebuilt affected packages? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/debconf/+bug/1959054/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1528921] Re: rsync hangs on select(5, [], [4], [], {60, 0}
** Changed in: rsync (Ubuntu Bionic) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to rsync in Ubuntu. https://bugs.launchpad.net/bugs/1528921 Title: rsync hangs on select(5, [], [4], [], {60, 0} Status in rsync: Unknown Status in rsync package in Ubuntu: Confirmed Status in rsync source package in Bionic: In Progress Status in rsync source package in Focal: In Progress Bug description: [Impact] What the user suffering from this bug experiences is that the big amount of informative messages related to the copy process with the three spawned processes(sender, receiver and generator) exhaust the I/O buffer and the sync gets stuck, either because there are too many files to synchronise and/or because too many detail messages (levels of verbose mode) have been requested in the output. The fix, that comes from upstream and is applied there since version 3.2.0., increments the size of the receiver's I/O buffer. [Test Plan] This test plan is for Focal, but it's the same for Bionic. 0.Preparing the test environment: #Preparing the container lxc launch images:ubuntu/focal rsync-iobuffer-focal lxc shell rsync-iobuffer-focal apt update -y apt upgrade -y #Installing necessary tools apt install rsync #Get test cases from comments #16 and #19 on this LP bug: As test case #16 covers both aspects (a lot of files and upper verbosity) and test #19 uses a huge tarball (120 Mb), I'm removing from this SRU the #19 scenario (but, please, feel to reach me it if you consider it necessary and I'll provide the steps and bad/good scenarios). cd /tmp/ #16 Paste the contents of https://pastebin.com/raw/ctzJJGwt: #!/bin/bash mkdir source_dir pushd source_dir dd if=/dev/zero of=source bs=600K count=1 for i in `seq 1 11500`; do cp -v source file_$i; done rm source for i in `seq 1 10`; do dd if=/dev/zero of=file_large_$i bs=200M count=1 done popd echo "Created 11500 files with size 600K and 10 files with size 200M, try the following command:" echo "rsync -avvvz --delete source_dir target_dir" in a new file script_comment16.sh chmod +x script_comment16.sh ./script_comment16.sh 1. Bad cases (without and with using strace): # Scenario from comment 16 $ rsync -avvvz --delete source_dir target_dir sending incremental file list [sender] make_file(source_dir,*,0) send_file_list done [sender] pushing local filters for /root/source_dir/ [sender] make_file(source_dir/file_3048,*,2) [sender] make_file(source_dir/file_11358,*,2) [sender] make_file(source_dir/file_5914,*,2) [sender] make_file(source_dir/file_5880,*,2) [sender] make_file(source_dir/file_9318,*,2) [sender] make_file(source_dir/file_5539,*,2) [...] sending file_sum false_alarms=0 hash_hits=0 matches=0 sender finished source_dir/file_10807 send_files(903, source_dir/file_10808) send_files mapped source_dir/file_10808 of size 614400 calling match_sums source_dir/file_10808 source_dir/file_10808 It hangs here, where using strace we can see: $ strace rsync -avvvz --delete source_dir target_dir source_dir/file_11280 read(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 262144) = 262144 read(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 262144) = 262144 read(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 90112) = 90112 select(6, [5], [4], [5], {tv_sec=60, tv_usec=0}) = 1 (in [5], left {tv_sec=59, tv_usec=96}) read(5, "\0\0\0\0\0\0\0\1\0\240\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\240\0\0\0"..., 1900) = 1900 select(5, [], [4], [], {tv_sec=60, tv_usec=0}) = 0 (Timeout) select(5, [], [4], [], {tv_sec=60, tv_usec=0}) = 0 (Timeout) select(5, [], [4], [], {tv_sec=60, tv_usec=0} 1. Good cases: # Scenario from comment 16 $ rsync -avvvz --delete source_dir target_dir sending incremental file list [sender] make_file(source_dir,*,0) send_file_list done [sender] pushing local filters for /tmp/source_dir/ [sender] make_file(source_dir/file_3052,*,2) [sender] make_file(source_dir/file_1766,*,2) [sender] make_file(source_dir/file_10466,*,2) [sender] make_file(source_dir/file_9375,*,2) [sender] make_file(source_dir/file_7260,*,2) [sender] make_file(source_dir/file_5554,*,2) [sender] make_file(source_dir/file_5523,*,2) [sender] make_file(source_dir/file_1685,*,2) [sender] make_file(source_dir/file_7217,*,2) [sender] make_file(source_dir/file_10411,*,2) [...] generate_files finished sent 9,555,678 bytes received 3,599,560 bytes 124,694.20 bytes/sec total size is 9,162,752,000 speedup is 696.51 [Where problems could occur] Perhaps the buffer size may not be sufficient for an operation involving a very huge amount of data, as reported upstream here (
[Touch-packages] [Bug 1528921] Re: rsync hangs on select(5, [], [4], [], {60, 0}
** Merge proposal linked: https://code.launchpad.net/~mirespace/ubuntu/+source/rsync/+git/rsync/+merge/415244 ** Changed in: rsync (Ubuntu Focal) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to rsync in Ubuntu. https://bugs.launchpad.net/bugs/1528921 Title: rsync hangs on select(5, [], [4], [], {60, 0} Status in rsync: Unknown Status in rsync package in Ubuntu: Confirmed Status in rsync source package in Bionic: New Status in rsync source package in Focal: In Progress Bug description: [Impact] What the user suffering from this bug experiences is that the big amount of informative messages related to the copy process with the three spawned processes(sender, receiver and generator) exhaust the I/O buffer and the sync gets stuck, either because there are too many files to synchronise and/or because too many detail messages (levels of verbose mode) have been requested in the output. The fix, that comes from upstream and is applied there since version 3.2.0., increments the size of the receiver's I/O buffer. [Test Plan] This test plan is for Focal, but it's the same for Bionic. 0.Preparing the test environment: #Preparing the container lxc launch images:ubuntu/focal rsync-iobuffer-focal lxc shell rsync-iobuffer-focal apt update -y apt upgrade -y #Installing necessary tools apt install rsync apt install wget #Get test cases from comments #16 and #19 on this LP bug cd /tmp/ #19 wget https://bugs.launchpad.net/ubuntu/+source/rsync/+bug/1528921/+attachment/5211950/+files/html2.tgz tar -xvzf /tmp/html2.tgz mkdir /tmp/rsynctest #16 Paste the contents of https://pastebin.com/raw/ctzJJGwt: #!/bin/bash mkdir source_dir pushd source_dir dd if=/dev/zero of=source bs=600K count=1 for i in `seq 1 11500`; do cp -v source file_$i; done rm source for i in `seq 1 10`; do dd if=/dev/zero of=file_large_$i bs=200M count=1 done popd echo "Created 11500 files with size 600K and 10 files with size 200M, try the following command:" echo "rsync -avvvz --delete source_dir target_dir" in a new file script_comment16.sh chmod +x script_comment16.sh ./script_comment16.sh 1. Bad cases (without and with using strace): # Scenario from comment 19 $ rsync --debug=all -avz /tmp/html2 /tmp/rsynctest/ (Client) Protocol versions: remote=31, negotiated=31 sending incremental file list [sender] change_dir(/tmp) send_files starting server_recv(2) starting pid=49029 get_local_name count=7070 /tmp/rsynctest/ created directory /tmp/rsynctest [Receiver] change_dir(/tmp/rsynctest) generator starting pid=49029 delta-transmission disabled for local transfer or --whole-file recv_generator(html2,1) recv_generator(html2,2) set uid of html2 from 0 to 1000 set gid of html2 from 0 to 1000 set modtime of html2 to (1447205118) Wed Nov 11 01:25:18 2015 [...] sender finished /tmp/html2/annotator__raw_8h__incl.md5 send_files(282, /tmp/html2/annotator__raw_8h__incl.png) html2/annotator__raw_8h__incl.png It hangs here, where using strace we can see: $ strace rsync --debug=all -avz /tmp/html2 /tmp/rsynctest/ [...] read(3, "\211PNG\r\n\32\n\0\0\0\rIHDR\0\0\v\4\0\0\2\233\10\6\0\0\0\361\177\254"..., 262144) = 262144 select(6, [5], [4], [5], {tv_sec=60, tv_usec=0}) = 2 (in [5], out [4], left {tv_sec=59, tv_usec=98}) read(5, "\0\0\0\0\0\0\0\1\0\240\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\0\240\0\0\0"..., 95) = 95 write(4, "K\374\0\7\177\377\207\343\335\345+{W\335{K\371y\211w`Ysl\336B{\312\340}\320\301"..., 64591) = 64591 select(5, [], [4], [], {tv_sec=60, tv_usec=0}) = 1 (out [4], left {tv_sec=59, tv_usec=98}) write(4, "\336\322\0\7\177\377\255\371\367\215v\321-\224\323+\363\261\243\7\211Do\230\256\257O\372\367:\357O"..., 53986) = 53986 select(5, [], [4], [], {tv_sec=60, tv_usec=0}) = 0 (Timeout) select(5, [], [4], [], {tv_sec=60, tv_usec=0}) = 0 (Timeout) select(5, [], [4], [], {tv_sec=60, tv_usec=0}) = 0 (Timeout) select(5, [], [4], [], {tv_sec=60, tv_usec=0}) = 0 (Timeout) select(5, [], [4], [], {tv_sec=60, tv_usec=0}) = 0 (Timeout) select(5, [], [4], [], {tv_sec=60, tv_usec=0}) = 0 (Timeout) select(5, [], [4], [], {tv_sec=60, tv_usec=0}) = 0 (Timeout) select(5, [], [4], [], {tv_sec=60, tv_usec=0} # Scenario from comment 16 $ rsync -avvvz --delete source_dir target_dir sending incremental file list [sender] make_file(source_dir,*,0) send_file_list done [sender] pushing local filters for /root/source_dir/ [sender] make_file(source_dir/file_3048,*,2) [sender] make_file(source_dir/file_11358,*,2) [sender] make_file(source_dir/file_5914,*,2) [sender] make_file(source_dir/file_5880,*,2) [sender] make_file(source_dir/file_9318,*,2) [sender] make_file(source_dir/file_5539,*,2) [...] sending file_sum
Re: [Touch-packages] [Bug 1959101] Re: sync/merge krb5
I did, and it asked me to wait for the sync to be complete before closing the bug, this time I obeyed ;) On Wed, Feb 2, 2022, 20:16 Sergio Durigan Junior <1959...@bugs.launchpad.net> wrote: > On Wednesday, February 02 2022, Andreas Hasenack wrote: > > > Sync requested, I'll wait for the package to migrate before closing the > > bug. > > You can also invoke "syncpackage" using the "--bug" option, FWIW. > > -- > Sergio > GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14 > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/1959101 > > Title: > sync/merge krb5 > > Status in krb5 package in Ubuntu: > In Progress > > Bug description: > We went ahead of debian because of openssl3: > krb5 (1.19.2-0ubuntu1) jammy; urgency=medium > > [ Sam Hartman ] > * New Upstream version > * Depend on tex-gyre, Closes: #997407 > > [Simon Chopin] > * d/p/0012-Fix-softpkcs11-build-issues-with-openssl-3.0.patch: > Cherry-picked from upstream master to fix OpenSSL3 build. > Closes: #995152, LP: #1945795 > >-- Simon Chopin Tue, 30 Nov 2021 > 10:54:17 +0100 > > Debian unstable still has 1.18.3-7, but experimental got 1.19.2-1: > krb5 (1.19.2-1) experimental; urgency=medium > > * New Upstream version > * Include patch to work with OpenSSL 3.0, Closes: #995152 > * Depend on tex-gyre, Closes: #997407 > >-- Sam Hartman Wed, 27 Oct 2021 14:04:42 -0600 > > Since we are already at 1.19.2, we might as well merge/sync with > experimental. > > To manage notifications about this bug go to: > https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1959101/+subscriptions > > Launchpad-Notification-Type: bug > Launchpad-Bug: distribution=ubuntu; sourcepackage=krb5; component=main; > milestone=ubuntu-22.02; status=In Progress; importance=Undecided; assignee= > andr...@canonical.com; > Launchpad-Bug-Tags: needs-merge > Launchpad-Bug-Information-Type: Public > Launchpad-Bug-Private: no > Launchpad-Bug-Security-Vulnerability: no > Launchpad-Bug-Commenters: ahasenack sergiodj > Launchpad-Bug-Reporter: Andreas Hasenack (ahasenack) > Launchpad-Bug-Modifier: Sergio Durigan Junior (sergiodj) > Launchpad-Message-Rationale: Subscriber > Launchpad-Message-For: ahasenack > > -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1959101 Title: sync/merge krb5 Status in krb5 package in Ubuntu: In Progress Bug description: We went ahead of debian because of openssl3: krb5 (1.19.2-0ubuntu1) jammy; urgency=medium [ Sam Hartman ] * New Upstream version * Depend on tex-gyre, Closes: #997407 [Simon Chopin] * d/p/0012-Fix-softpkcs11-build-issues-with-openssl-3.0.patch: Cherry-picked from upstream master to fix OpenSSL3 build. Closes: #995152, LP: #1945795 -- Simon Chopin Tue, 30 Nov 2021 10:54:17 +0100 Debian unstable still has 1.18.3-7, but experimental got 1.19.2-1: krb5 (1.19.2-1) experimental; urgency=medium * New Upstream version * Include patch to work with OpenSSL 3.0, Closes: #995152 * Depend on tex-gyre, Closes: #997407 -- Sam Hartman Wed, 27 Oct 2021 14:04:42 -0600 Since we are already at 1.19.2, we might as well merge/sync with experimental. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1959101/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1959101] Re: sync/merge krb5
Sync requested, I'll wait for the package to migrate before closing the bug. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1959101 Title: sync/merge krb5 Status in krb5 package in Ubuntu: In Progress Bug description: We went ahead of debian because of openssl3: krb5 (1.19.2-0ubuntu1) jammy; urgency=medium [ Sam Hartman ] * New Upstream version * Depend on tex-gyre, Closes: #997407 [Simon Chopin] * d/p/0012-Fix-softpkcs11-build-issues-with-openssl-3.0.patch: Cherry-picked from upstream master to fix OpenSSL3 build. Closes: #995152, LP: #1945795 -- Simon Chopin Tue, 30 Nov 2021 10:54:17 +0100 Debian unstable still has 1.18.3-7, but experimental got 1.19.2-1: krb5 (1.19.2-1) experimental; urgency=medium * New Upstream version * Include patch to work with OpenSSL 3.0, Closes: #995152 * Depend on tex-gyre, Closes: #997407 -- Sam Hartman Wed, 27 Oct 2021 14:04:42 -0600 Since we are already at 1.19.2, we might as well merge/sync with experimental. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1959101/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1959101] Re: sync/merge krb5
This can indeed be a sync, the only change wrt ubuntu is the openssl3 patch was renamed: --- krb5-1.19.2-ubuntu/debian/patches/series2021-11-30 06:54:14.0 -0300 +++ krb5-1.19.2-debian/debian/patches/series2021-10-27 17:04:42.0 -0300 @@ -8,4 +8,4 @@ debian-local/0008-Use-isystem-for-include-paths.patch 0009-Add-.gitignore.patch 0011-Fix-KDC-null-deref-on-TGS-inner-body-null-server.patch -0012-Fix-softpkcs11-build-issues-with-openssl-3.0.patch +0011-Fix-softpkcs11-build-issues-with-openssl-3.0.patch Contents are "the same": $ diff -u krb5-1.19.2-ubuntu/debian/patches/0012-Fix-softpkcs11-build-issues-with-openssl-3.0.patch krb5-1.19.2-debian/debian/patches/0011-Fix-softpkcs11-build-issues-with-openssl-3.0.patch --- krb5-1.19.2-ubuntu/debian/patches/0012-Fix-softpkcs11-build-issues-with-openssl-3.0.patch 2021-11-30 06:54:17.0 -0300 +++ krb5-1.19.2-debian/debian/patches/0011-Fix-softpkcs11-build-issues-with-openssl-3.0.patch 2021-10-27 17:04:42.0 -0300 @@ -1,7 +1,6 @@ -From 7c1bf1c800ef9837179d78fab95a2103623558db Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Sat, 15 May 2021 17:35:25 -0400 -Subject: [PATCH] Fix softpkcs11 build issues with openssl 3.0 +Subject: Fix softpkcs11 build issues with openssl 3.0 EVP_PKEY_get0_RSA() has been modified to have const return type. Remove its usages in favor of the EVP_PKEY interface. Also remove calls to @@ -15,12 +14,14 @@ Move several argument validation checks to the top of their functions. Fix some incorrect/inconsistent log messages. + +(cherry picked from commit 00de1aad7b3647b91017c7009b0bc65cd0c8b2e0) --- - src/tests/softpkcs11/main.c | 290 +--- + src/tests/softpkcs11/main.c | 290 1 file changed, 106 insertions(+), 184 deletions(-) diff --git a/src/tests/softpkcs11/main.c b/src/tests/softpkcs11/main.c -index 1cccdfb43..caa537b68 100644 +index 1cccdfb..caa537b 100644 --- a/src/tests/softpkcs11/main.c +++ b/src/tests/softpkcs11/main.c @@ -375,10 +375,9 @@ add_st_object(void) @@ -522,6 +523,3 @@ CK_FUNCTION_LIST funcs = { { 2, 11 }, C_Initialize, --- -2.32.0 - ** Changed in: krb5 (Ubuntu) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1959101 Title: sync/merge krb5 Status in krb5 package in Ubuntu: In Progress Bug description: We went ahead of debian because of openssl3: krb5 (1.19.2-0ubuntu1) jammy; urgency=medium [ Sam Hartman ] * New Upstream version * Depend on tex-gyre, Closes: #997407 [Simon Chopin] * d/p/0012-Fix-softpkcs11-build-issues-with-openssl-3.0.patch: Cherry-picked from upstream master to fix OpenSSL3 build. Closes: #995152, LP: #1945795 -- Simon Chopin Tue, 30 Nov 2021 10:54:17 +0100 Debian unstable still has 1.18.3-7, but experimental got 1.19.2-1: krb5 (1.19.2-1) experimental; urgency=medium * New Upstream version * Include patch to work with OpenSSL 3.0, Closes: #995152 * Depend on tex-gyre, Closes: #997407 -- Sam Hartman Wed, 27 Oct 2021 14:04:42 -0600 Since we are already at 1.19.2, we might as well merge/sync with experimental. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1959101/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1959101] Re: sync/merge krb5
** Changed in: krb5 (Ubuntu) Assignee: (unassigned) => Andreas Hasenack (ahasenack) ** Changed in: krb5 (Ubuntu) Milestone: ubuntu-22.01 => ubuntu-22.02 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1959101 Title: sync/merge krb5 Status in krb5 package in Ubuntu: New Bug description: We went ahead of debian because of openssl3: krb5 (1.19.2-0ubuntu1) jammy; urgency=medium [ Sam Hartman ] * New Upstream version * Depend on tex-gyre, Closes: #997407 [Simon Chopin] * d/p/0012-Fix-softpkcs11-build-issues-with-openssl-3.0.patch: Cherry-picked from upstream master to fix OpenSSL3 build. Closes: #995152, LP: #1945795 -- Simon Chopin Tue, 30 Nov 2021 10:54:17 +0100 Debian unstable still has 1.18.3-7, but experimental got 1.19.2-1: krb5 (1.19.2-1) experimental; urgency=medium * New Upstream version * Include patch to work with OpenSSL 3.0, Closes: #995152 * Depend on tex-gyre, Closes: #997407 -- Sam Hartman Wed, 27 Oct 2021 14:04:42 -0600 Since we are already at 1.19.2, we might as well merge/sync with experimental. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1959101/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1959126] [NEW] Consider update to 3.68.2
Public bug reported: Debian is shipping nss 3.73.1, but that is not an ESR release. Ubuntu is on 3.68, which is ESR, but two releases behind: upstream has 3.68.2. Here are upstream's release notes: 3.68.1: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/jFIuiWbCphk Changes: - Bug 1735028 - check for missing signedData field. - Bug 1737470 - Ensure DER encoded signatures are within size limits. 3.68.2: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/uGRwqw6Ove8 Change: - Bug 966856 - Add SHA-2 support to mozilla::pkix's OCSP implementation Our 3.68 package has a patch for CVE-2021-43527. It's unclear if any of the above changes is that CVE. The most promising one was bug 1737470, but the bug is private. The request here is to investigate if our patched 3.68 has one or more of the fixes in the above point releases, and if it would be worth it to go to 3.68.2. I think we should not go to 3.7x. Ubuntu has been on 3.68 since impish. ** Affects: nss (Ubuntu) Importance: Undecided Status: New ** Tags: server-todo -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to nss in Ubuntu. https://bugs.launchpad.net/bugs/1959126 Title: Consider update to 3.68.2 Status in nss package in Ubuntu: New Bug description: Debian is shipping nss 3.73.1, but that is not an ESR release. Ubuntu is on 3.68, which is ESR, but two releases behind: upstream has 3.68.2. Here are upstream's release notes: 3.68.1: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/jFIuiWbCphk Changes: - Bug 1735028 - check for missing signedData field. - Bug 1737470 - Ensure DER encoded signatures are within size limits. 3.68.2: https://groups.google.com/a/mozilla.org/g/dev-tech-crypto/c/uGRwqw6Ove8 Change: - Bug 966856 - Add SHA-2 support to mozilla::pkix's OCSP implementation Our 3.68 package has a patch for CVE-2021-43527. It's unclear if any of the above changes is that CVE. The most promising one was bug 1737470, but the bug is private. The request here is to investigate if our patched 3.68 has one or more of the fixes in the above point releases, and if it would be worth it to go to 3.68.2. I think we should not go to 3.7x. Ubuntu has been on 3.68 since impish. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1959126/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1959101] [NEW] sync/merge krb5
Public bug reported: We went ahead of debian because of openssl3: krb5 (1.19.2-0ubuntu1) jammy; urgency=medium [ Sam Hartman ] * New Upstream version * Depend on tex-gyre, Closes: #997407 [Simon Chopin] * d/p/0012-Fix-softpkcs11-build-issues-with-openssl-3.0.patch: Cherry-picked from upstream master to fix OpenSSL3 build. Closes: #995152, LP: #1945795 -- Simon Chopin Tue, 30 Nov 2021 10:54:17 +0100 Debian unstable still has 1.18.3-7, but experimental got 1.19.2-1: krb5 (1.19.2-1) experimental; urgency=medium * New Upstream version * Include patch to work with OpenSSL 3.0, Closes: #995152 * Depend on tex-gyre, Closes: #997407 -- Sam Hartman Wed, 27 Oct 2021 14:04:42 -0600 Since we are already at 1.19.2, we might as well merge/sync with experimental. ** Affects: krb5 (Ubuntu) Importance: Undecided Status: New ** Tags: needs-merge ** Changed in: krb5 (Ubuntu) Milestone: None => ubuntu-22.01 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1959101 Title: sync/merge krb5 Status in krb5 package in Ubuntu: New Bug description: We went ahead of debian because of openssl3: krb5 (1.19.2-0ubuntu1) jammy; urgency=medium [ Sam Hartman ] * New Upstream version * Depend on tex-gyre, Closes: #997407 [Simon Chopin] * d/p/0012-Fix-softpkcs11-build-issues-with-openssl-3.0.patch: Cherry-picked from upstream master to fix OpenSSL3 build. Closes: #995152, LP: #1945795 -- Simon Chopin Tue, 30 Nov 2021 10:54:17 +0100 Debian unstable still has 1.18.3-7, but experimental got 1.19.2-1: krb5 (1.19.2-1) experimental; urgency=medium * New Upstream version * Include patch to work with OpenSSL 3.0, Closes: #995152 * Depend on tex-gyre, Closes: #997407 -- Sam Hartman Wed, 27 Oct 2021 14:04:42 -0600 Since we are already at 1.19.2, we might as well merge/sync with experimental. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1959101/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1957076] Re: sync cyrus-sasl2 2.1.27+dfsg2-3
This bug was fixed in the package cyrus-sasl2 - 2.1.27+dfsg2-3 --- cyrus-sasl2 (2.1.27+dfsg2-3) unstable; urgency=medium [ Andreas Hasenack ] * Fix configure.ac for autoconf 2.70 (Closes: #1003355, #1000152) -- Bastian Germann Tue, 11 Jan 2022 11:25:37 +0100 ** Changed in: cyrus-sasl2 (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu. https://bugs.launchpad.net/bugs/1957076 Title: sync cyrus-sasl2 2.1.27+dfsg2-3 Status in cyrus-sasl2 package in Ubuntu: Fix Released Bug description: It has the fix for bug #1956833, which is our only delta presently. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1957076/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1957076] Re: sync cyrus-sasl2 2.1.27+dfsg2-3
** Changed in: cyrus-sasl2 (Ubuntu) Status: Triaged => In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu. https://bugs.launchpad.net/bugs/1957076 Title: sync cyrus-sasl2 2.1.27+dfsg2-3 Status in cyrus-sasl2 package in Ubuntu: In Progress Bug description: It has the fix for bug #1956833, which is our only delta presently. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1957076/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1957076] Re: sync cyrus-sasl2 2.1.27+dfsg2-3
** Changed in: cyrus-sasl2 (Ubuntu) Milestone: None => ubuntu-22.01 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu. https://bugs.launchpad.net/bugs/1957076 Title: sync cyrus-sasl2 2.1.27+dfsg2-3 Status in cyrus-sasl2 package in Ubuntu: Triaged Bug description: It has the fix for bug #1956833, which is our only delta presently. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1957076/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1677781] Re: Missing dep8 tests
We were recently hit by bug #1956833, where GSS-SPNEGO was suddenly disabled and nobody noticed until an app tried to use it. For that case, I'm thinking about a very simple test that would be like this: for algo in $ALGORITHMS; do saslpluginviewer -m $algo > /dev/null || { echo "Algorithm $algo not available" exit 1 } done And ALGORITHMS is a list of the algorithms we expect to always be available, like: SCRAM-SHA-1 SCRAM-SHA-256 GS2-IAKERB GS2-KRB5 GSS-SPNEGO GSSAPI DIGEST-MD5 EXTERNAL CRAM-MD5 NTLM PLAIN LOGIN ANONYMOUS ** Tags added: bitesize -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu. https://bugs.launchpad.net/bugs/1677781 Title: Missing dep8 tests Status in cyrus-sasl2 package in Ubuntu: New Bug description: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 As of March 29, 2017, this source package did not contain dep8 tests in the current development release of Ubuntu, named Zesty. This was determined by running `pull-lp-source cyrus-sasl2 zesty` and then checking for the existence of 'debian/tests/' and 'debian/tests/control'. Test automation is essential to higher levels of quality and confidence in updates to packages. dep8 tests [1] specify how automatic testing can be integrated into packages and then run by package maintainers before new uploads. This defect is to report the absence of these tests and to report the opportunity as a potential item for development by both new and experienced contributors. [1] http://packaging.ubuntu.com/html/auto-pkg-test.html affects ubuntu/cyrus-sasl2 status new importance wishlist tag needs-dep8 - --- Joshua Powers Ubuntu Server Canonical Ltd -BEGIN PGP SIGNATURE- iQIcBAEBCAAGBQJY3XaTAAoJEIP8BxPaZgwlJr8P/j8yn8mXWnAIiXUgHX7jBIGj JuMQGO5wwcfHRxOwJEOlsO/SIATUN1L1BB84anP7Bp4cfLqXonF8eKFPkEotwaf1 3wADCH98EwLuSyJOaKXsTQHppAKdJ6UEW4jHvfhYizenEWssPfCQdg68LSGZ2enR wD9ZhZgjwJIpLbqDTp7ygklR0htf4ZAFq/vIcyLykT6qagVE3xC8SAgd+7tb/fYe 4PYfqgGso/qpL0v6JL+YkCKH/aiMYV+HD45o1NcUbGdoiuUa9jpeYSSTP/9OgWpY nALDXe/dJZT/wz5Zv0cy6sGRh7gtjVqI0608WAM00Jp8CmFX60z4yrq/3t37wKbz iDQF4HyltqfCNF5oQ6xva9xAq/c2tyP8nBHzQ+ZtH/o1hyS/JdgoR38OojldyUc5 WzcTFL+h612ZVZVNm4lqBpg/0dpEkwXTE9KczyB5kSr5VVz0WXtjU5wFxKMdZpr5 Gq9uM+fHU4YHQqfGGZxmHFOgz7tCAyEsZEzpnPiYvoSksj3tJMkQG7FbIISltort CBAwLIt1hLR9g4T3p0e4ipCJf6kL/yZR3kMGhsjbDe012bTaC8ZeLG7VYmWkBaxY ieFMZIxmGgCq7KjDfNPh9JEmCtNgenkEOu6BszZK+gwmhL/AxVuuNRdd5OeBGy3G WY9JzBOc6MUi46Hh9ZN5 =szTz -END PGP SIGNATURE- To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1677781/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1957076] [NEW] sync cyrus-sasl2 2.1.27+dfsg2-3
Public bug reported: It has the fix for bug #1956833, which is our only delta presently. ** Affects: cyrus-sasl2 (Ubuntu) Importance: Undecided Assignee: Andreas Hasenack (ahasenack) Status: Triaged ** Tags: needs-merge -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu. https://bugs.launchpad.net/bugs/1957076 Title: sync cyrus-sasl2 2.1.27+dfsg2-3 Status in cyrus-sasl2 package in Ubuntu: Triaged Bug description: It has the fix for bug #1956833, which is our only delta presently. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1957076/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1956833] Re: No GSS-SPNEGO support in jammy
** Bug watch added: Debian Bug tracker #1003355 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003355 ** Also affects: cyrus-sasl2 (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003355 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu. https://bugs.launchpad.net/bugs/1956833 Title: No GSS-SPNEGO support in jammy Status in cyrus-sasl2 package in Ubuntu: In Progress Status in cyrus-sasl2 package in Debian: Unknown Bug description: In jammy: root@j1:~# saslpluginviewer | head | grep SPNEGO root@j1:~# Confirming against a windows 2016 active directory server, fully patched: root@j1:~# ldapwhoami -Y GSS-SPNEGO ldap_sasl_interactive_bind: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: No worthy mechs found gssapi (kerberos) works: root@j1:~# ldapwhoami -Y GSSAPI SASL/GSSAPI authentication started SASL username: administra...@internal.example.fake SASL SSF: 256 SASL data security layer installed. u:INTEXAMPLE\Administrator root@j1:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administra...@internal.example.fake Valid starting ExpiresService principal 01/08/22 22:31:48 01/09/22 08:31:48 krbtgt/internal.example.f...@internal.example.fake renew until 01/09/22 22:31:45 01/08/22 22:34:53 01/09/22 08:31:48 ldap/win-kriet1e5elo.internal.example.fake@ renew until 01/09/22 22:31:45 Ticket server: ldap/win-kriet1e5elo.internal.example.f...@internal.example.fake In focal, GSS-SPNEGO works: root@f1:~# saslpluginviewer | head | grep SPNEGO GS2-IAKERB GS2-KRB5 SCRAM-SHA-1 SCRAM-SHA-256 GSSAPI GSS-SPNEGO DIGEST-MD5 EXTERNAL NTLM CRAM-MD5 PLAIN LOGIN ANONYMOUS GS2-IAKERB GS2-KRB5 SCRAM-SHA-1 SCRAM-SHA-256 GSSAPI GSS-SPNEGO DIGEST-MD5 NTLM CRAM-MD5 PLAIN LOGIN ANONYMOUS Confirming with ldapwhoami: root@f1:~# ldapwhoami -Y GSS-SPNEGO SASL/GSS-SPNEGO authentication started SASL username: administra...@internal.example.fake SASL SSF: 256 SASL data security layer installed. u:INTEXAMPLE\Administrator To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1956833/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1956833] Re: No GSS-SPNEGO support in jammy
Nice discussion at https://bugzilla.redhat.com/show_bug.cgi?format=multiple=1943013 Fix: https://github.com/cyrusimap/cyrus-sasl/pull/644 ** Bug watch added: Red Hat Bugzilla #1943013 https://bugzilla.redhat.com/show_bug.cgi?id=1943013 ** Changed in: cyrus-sasl2 (Ubuntu) Importance: Undecided => High ** Changed in: cyrus-sasl2 (Ubuntu) Status: New => In Progress ** Changed in: cyrus-sasl2 (Ubuntu) Assignee: (unassigned) => Andreas Hasenack (ahasenack) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu. https://bugs.launchpad.net/bugs/1956833 Title: No GSS-SPNEGO support in jammy Status in cyrus-sasl2 package in Ubuntu: In Progress Bug description: In jammy: root@j1:~# saslpluginviewer | head | grep SPNEGO root@j1:~# Confirming against a windows 2016 active directory server, fully patched: root@j1:~# ldapwhoami -Y GSS-SPNEGO ldap_sasl_interactive_bind: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: No worthy mechs found gssapi (kerberos) works: root@j1:~# ldapwhoami -Y GSSAPI SASL/GSSAPI authentication started SASL username: administra...@internal.example.fake SASL SSF: 256 SASL data security layer installed. u:INTEXAMPLE\Administrator root@j1:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administra...@internal.example.fake Valid starting ExpiresService principal 01/08/22 22:31:48 01/09/22 08:31:48 krbtgt/internal.example.f...@internal.example.fake renew until 01/09/22 22:31:45 01/08/22 22:34:53 01/09/22 08:31:48 ldap/win-kriet1e5elo.internal.example.fake@ renew until 01/09/22 22:31:45 Ticket server: ldap/win-kriet1e5elo.internal.example.f...@internal.example.fake In focal, GSS-SPNEGO works: root@f1:~# saslpluginviewer | head | grep SPNEGO GS2-IAKERB GS2-KRB5 SCRAM-SHA-1 SCRAM-SHA-256 GSSAPI GSS-SPNEGO DIGEST-MD5 EXTERNAL NTLM CRAM-MD5 PLAIN LOGIN ANONYMOUS GS2-IAKERB GS2-KRB5 SCRAM-SHA-1 SCRAM-SHA-256 GSSAPI GSS-SPNEGO DIGEST-MD5 NTLM CRAM-MD5 PLAIN LOGIN ANONYMOUS Confirming with ldapwhoami: root@f1:~# ldapwhoami -Y GSS-SPNEGO SASL/GSS-SPNEGO authentication started SASL username: administra...@internal.example.fake SASL SSF: 256 SASL data security layer installed. u:INTEXAMPLE\Administrator To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1956833/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1956833] Re: No GSS-SPNEGO support in jammy
In the jammy build log (https://launchpadlibrarian.net/570726294/buildlog_ubuntu-jammy- amd64.cyrus-sasl2_2.1.27+dfsg2-2build1_BUILDING.txt.gz), we have this error which is not present in the impish build for example: checking for SPNEGO support in GSSAPI libraries... ../configure: line 18854: ac_fn_c_try_run: command not found no -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu. https://bugs.launchpad.net/bugs/1956833 Title: No GSS-SPNEGO support in jammy Status in cyrus-sasl2 package in Ubuntu: New Bug description: In jammy: root@j1:~# saslpluginviewer | head | grep SPNEGO root@j1:~# Confirming against a windows 2016 active directory server, fully patched: root@j1:~# ldapwhoami -Y GSS-SPNEGO ldap_sasl_interactive_bind: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: No worthy mechs found gssapi (kerberos) works: root@j1:~# ldapwhoami -Y GSSAPI SASL/GSSAPI authentication started SASL username: administra...@internal.example.fake SASL SSF: 256 SASL data security layer installed. u:INTEXAMPLE\Administrator root@j1:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administra...@internal.example.fake Valid starting ExpiresService principal 01/08/22 22:31:48 01/09/22 08:31:48 krbtgt/internal.example.f...@internal.example.fake renew until 01/09/22 22:31:45 01/08/22 22:34:53 01/09/22 08:31:48 ldap/win-kriet1e5elo.internal.example.fake@ renew until 01/09/22 22:31:45 Ticket server: ldap/win-kriet1e5elo.internal.example.f...@internal.example.fake In focal, GSS-SPNEGO works: root@f1:~# saslpluginviewer | head | grep SPNEGO GS2-IAKERB GS2-KRB5 SCRAM-SHA-1 SCRAM-SHA-256 GSSAPI GSS-SPNEGO DIGEST-MD5 EXTERNAL NTLM CRAM-MD5 PLAIN LOGIN ANONYMOUS GS2-IAKERB GS2-KRB5 SCRAM-SHA-1 SCRAM-SHA-256 GSSAPI GSS-SPNEGO DIGEST-MD5 NTLM CRAM-MD5 PLAIN LOGIN ANONYMOUS Confirming with ldapwhoami: root@f1:~# ldapwhoami -Y GSS-SPNEGO SASL/GSS-SPNEGO authentication started SASL username: administra...@internal.example.fake SASL SSF: 256 SASL data security layer installed. u:INTEXAMPLE\Administrator To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1956833/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1956833] Re: No GSS-SPNEGO support in jammy
Impish also works: root@i1:~# saslpluginviewer | head | grep SPNEGO SCRAM-SHA-1 SCRAM-SHA-256 GS2-IAKERB GS2-KRB5 GSSAPI GSS-SPNEGO DIGEST-MD5 EXTERNAL CRAM-MD5 NTLM PLAIN LOGIN ANONYMOUS SCRAM-SHA-1 SCRAM-SHA-256 GS2-IAKERB GS2-KRB5 GSSAPI GSS-SPNEGO DIGEST-MD5 CRAM-MD5 NTLM PLAIN LOGIN ANONYMOUS root@i1:~# ldapwhoami -Y GSS-SPNEGO SASL/GSS-SPNEGO authentication started SASL username: administra...@internal.example.fake SASL SSF: 256 SASL data security layer installed. u:INTEXAMPLE\Administrator -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu. https://bugs.launchpad.net/bugs/1956833 Title: No GSS-SPNEGO support in jammy Status in cyrus-sasl2 package in Ubuntu: New Bug description: In jammy: root@j1:~# saslpluginviewer | head | grep SPNEGO root@j1:~# Confirming against a windows 2016 active directory server, fully patched: root@j1:~# ldapwhoami -Y GSS-SPNEGO ldap_sasl_interactive_bind: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: No worthy mechs found gssapi (kerberos) works: root@j1:~# ldapwhoami -Y GSSAPI SASL/GSSAPI authentication started SASL username: administra...@internal.example.fake SASL SSF: 256 SASL data security layer installed. u:INTEXAMPLE\Administrator root@j1:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administra...@internal.example.fake Valid starting ExpiresService principal 01/08/22 22:31:48 01/09/22 08:31:48 krbtgt/internal.example.f...@internal.example.fake renew until 01/09/22 22:31:45 01/08/22 22:34:53 01/09/22 08:31:48 ldap/win-kriet1e5elo.internal.example.fake@ renew until 01/09/22 22:31:45 Ticket server: ldap/win-kriet1e5elo.internal.example.f...@internal.example.fake In focal, GSS-SPNEGO works: root@f1:~# saslpluginviewer | head | grep SPNEGO GS2-IAKERB GS2-KRB5 SCRAM-SHA-1 SCRAM-SHA-256 GSSAPI GSS-SPNEGO DIGEST-MD5 EXTERNAL NTLM CRAM-MD5 PLAIN LOGIN ANONYMOUS GS2-IAKERB GS2-KRB5 SCRAM-SHA-1 SCRAM-SHA-256 GSSAPI GSS-SPNEGO DIGEST-MD5 NTLM CRAM-MD5 PLAIN LOGIN ANONYMOUS Confirming with ldapwhoami: root@f1:~# ldapwhoami -Y GSS-SPNEGO SASL/GSS-SPNEGO authentication started SASL username: administra...@internal.example.fake SASL SSF: 256 SASL data security layer installed. u:INTEXAMPLE\Administrator To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1956833/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1956833] [NEW] No GSS-SPNEGO support in jammy
Public bug reported: In jammy: root@j1:~# saslpluginviewer | head | grep SPNEGO root@j1:~# Confirming against a windows 2016 active directory server, fully patched: root@j1:~# ldapwhoami -Y GSS-SPNEGO ldap_sasl_interactive_bind: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: No worthy mechs found gssapi (kerberos) works: root@j1:~# ldapwhoami -Y GSSAPI SASL/GSSAPI authentication started SASL username: administra...@internal.example.fake SASL SSF: 256 SASL data security layer installed. u:INTEXAMPLE\Administrator root@j1:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administra...@internal.example.fake Valid starting ExpiresService principal 01/08/22 22:31:48 01/09/22 08:31:48 krbtgt/internal.example.f...@internal.example.fake renew until 01/09/22 22:31:45 01/08/22 22:34:53 01/09/22 08:31:48 ldap/win-kriet1e5elo.internal.example.fake@ renew until 01/09/22 22:31:45 Ticket server: ldap/win-kriet1e5elo.internal.example.f...@internal.example.fake In focal, GSS-SPNEGO works: root@f1:~# saslpluginviewer | head | grep SPNEGO GS2-IAKERB GS2-KRB5 SCRAM-SHA-1 SCRAM-SHA-256 GSSAPI GSS-SPNEGO DIGEST-MD5 EXTERNAL NTLM CRAM-MD5 PLAIN LOGIN ANONYMOUS GS2-IAKERB GS2-KRB5 SCRAM-SHA-1 SCRAM-SHA-256 GSSAPI GSS-SPNEGO DIGEST-MD5 NTLM CRAM-MD5 PLAIN LOGIN ANONYMOUS Confirming with ldapwhoami: root@f1:~# ldapwhoami -Y GSS-SPNEGO SASL/GSS-SPNEGO authentication started SASL username: administra...@internal.example.fake SASL SSF: 256 SASL data security layer installed. u:INTEXAMPLE\Administrator ** Affects: cyrus-sasl2 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu. https://bugs.launchpad.net/bugs/1956833 Title: No GSS-SPNEGO support in jammy Status in cyrus-sasl2 package in Ubuntu: New Bug description: In jammy: root@j1:~# saslpluginviewer | head | grep SPNEGO root@j1:~# Confirming against a windows 2016 active directory server, fully patched: root@j1:~# ldapwhoami -Y GSS-SPNEGO ldap_sasl_interactive_bind: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: No worthy mechs found gssapi (kerberos) works: root@j1:~# ldapwhoami -Y GSSAPI SASL/GSSAPI authentication started SASL username: administra...@internal.example.fake SASL SSF: 256 SASL data security layer installed. u:INTEXAMPLE\Administrator root@j1:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administra...@internal.example.fake Valid starting ExpiresService principal 01/08/22 22:31:48 01/09/22 08:31:48 krbtgt/internal.example.f...@internal.example.fake renew until 01/09/22 22:31:45 01/08/22 22:34:53 01/09/22 08:31:48 ldap/win-kriet1e5elo.internal.example.fake@ renew until 01/09/22 22:31:45 Ticket server: ldap/win-kriet1e5elo.internal.example.f...@internal.example.fake In focal, GSS-SPNEGO works: root@f1:~# saslpluginviewer | head | grep SPNEGO GS2-IAKERB GS2-KRB5 SCRAM-SHA-1 SCRAM-SHA-256 GSSAPI GSS-SPNEGO DIGEST-MD5 EXTERNAL NTLM CRAM-MD5 PLAIN LOGIN ANONYMOUS GS2-IAKERB GS2-KRB5 SCRAM-SHA-1 SCRAM-SHA-256 GSSAPI GSS-SPNEGO DIGEST-MD5 NTLM CRAM-MD5 PLAIN LOGIN ANONYMOUS Confirming with ldapwhoami: root@f1:~# ldapwhoami -Y GSS-SPNEGO SASL/GSS-SPNEGO authentication started SASL username: administra...@internal.example.fake SASL SSF: 256 SASL data security layer installed. u:INTEXAMPLE\Administrator To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1956833/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1953200] Re: [jammy] FTBFS, gcc ICE?
Maybe https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101346 ? ** Also affects: gcc-11 (Ubuntu) Importance: Undecided Status: New ** Bug watch added: GCC Bugzilla #101346 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101346 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to mir in Ubuntu. https://bugs.launchpad.net/bugs/1953200 Title: [jammy] FTBFS, gcc ICE? Status in gcc-11 package in Ubuntu: New Status in mir package in Ubuntu: New Bug description: https://launchpad.net/ubuntu/+source/mir/2.4.1-0ubuntu3 [ 38%] Building CXX object src/client/CMakeFiles/mirclientobjects.dir/event_printer.cpp.o cd /<>/build-amd64/src/client && /usr/bin/c++ -DCLIENT_PLATFORM_VERSION=\"MIR_CLIENT_PLATFORM_5\" -DEGL_NO_X11 -DLOG_NDEBUG=1 -DLTTNG_UST_HAVE_SDT_INTEGRATION -DMESA_EGL_NO_X11_HEADERS -DMIR_CLIENT_PLATFORM_PATH=\"/usr/lib/x86_64-linux-gnu/mir/client-platform/\" -DMIR_DRMMODEADDFB_HAS_CONST_SIGNATURE -DMIR_LOG_COMPONENT_FALLBACK=\"mirclient\" -DMIR_VERSION_MAJOR=2 -DMIR_VERSION_MICRO=1 -DMIR_VERSION_MINOR=4 -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE -I/<>/include/core -I/<>/include/common -I/<>/include/cookie -I/<>/src/include/common -I/<>/build-amd64/src/capnproto -I/<>/build-amd64/src/protobuf -I/<>/build-amd64/src/client -I/<>/include/platform -I/<>/include/client -I/<>/src/include/client -I/<>/src/include/cookie -I/usr/include/libdrm -g -O2 -ffile-prefix-map=/<>=. -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -pthread -g -std=c++17 -Wall -fno-strict-aliasing -pedantic -Wnon-virtual-dtor -Wextra -fPIC -Werror -Wno-mismatched-tags -Wno-psabi -flto -ffat-lto-objects -std=c++17 -MD -MT src/client/CMakeFiles/mirclientobjects.dir/event_printer.cpp.o -MF CMakeFiles/mirclientobjects.dir/event_printer.cpp.o.d -o CMakeFiles/mirclientobjects.dir/event_printer.cpp.o -c /<>/src/client/event_printer.cpp In file included from /usr/include/boost/bind.hpp:30, from /<>/src/client/rpc/mir_protobuf_rpc_channel.cpp:44: /usr/include/boost/bind.hpp:36:1: note: ‘#pragma message: The practice of declaring the Bind placeholders (_1, _2, ...) in the global namespace is deprecated. Please use + using namespace boost::placeholders, or define BOOST_BIND_GLOBAL_PLACEHOLDERS to retain the current behavior.’ 36 | BOOST_PRAGMA_MESSAGE( | ^~~~ The bug is not reproducible, so it is likely a hardware or OS problem. make[3]: *** [src/client/lttng/CMakeFiles/mirclientlttng-static.dir/build.make:107: src/client/lttng/CMakeFiles/mirclientlttng-static.dir/input_receiver_report.cpp.o] Error 1 make[3]: Leaving directory '/<>/build-amd64' make[2]: *** [CMakeFiles/Makefile2:4657: src/client/lttng/CMakeFiles/mirclientlttng-static.dir/all] Error 2 make[2]: *** Waiting for unfinished jobs Possibly relevant, this seems to be using boost 1.74.0-13ubuntu1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gcc-11/+bug/1953200/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1953200] Re: [jammy] FTBFS, gcc ICE?
Actually, this may be an ICE. Further up in the logs we see: [ 37%] Building CXX object src/client/lttng/CMakeFiles/mirclientlttng-static.dir/input_receiver_report.cpp.o cd /<>/build-amd64/src/client/lttng && /usr/bin/c++ -DCLIENT_PLATFORM_VERSION=\"MIR_CLIENT_PLATFORM_5\" -DEGL_NO_X11 -DLOG_NDEBUG=1 -DLTTNG_UST_HAVE_SDT_INTEGRATION -DMESA_EGL_NO_X11_HEADERS -DMIR_CLIENT_PLATFORM_PATH=\"/usr/lib/x86_64-linux-gnu/mir/client-platform/\" -DMIR_DRMMODEADDFB_HAS_CONST_SIGNATURE -DMIR_LOG_COMPONENT_FALLBACK=\"mirclient\" -DMIR_VERSION_MAJOR=2 -DMIR_VERSION_MICRO=1 -DMIR_VERSION_MINOR=4 -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE -I/<>/include/core -I/<>/include/common -I/<>/include/cookie -I/<>/src/include/common -I/<>/build-amd64/src/capnproto -I/<>/build-amd64/src/protobuf -I/<>/build-amd64/src/client -I/<>/include/platform -I/<>/include/client -I/<>/src/include/client -I/<>/src/include/cookie -I/usr/include/libdrm -I/<>/src/client/lttng -g -O2 -ffile-prefix-map=/<>=. -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -pthread -g -std=c++17 -Wall -fno-strict-aliasing -Wnon-virtual-dtor -Wextra -fPIC -Werror -Wno-mismatched-tags -Wno-psabi -flto -ffat-lto-objects -Wno-error=missing-field-initializers -Wno-error=unused-function -std=c++17 -MD -MT src/client/lttng/CMakeFiles/mirclientlttng-static.dir/input_receiver_report.cpp.o -MF CMakeFiles/mirclientlttng-static.dir/input_receiver_report.cpp.o.d -o CMakeFiles/mirclientlttng-static.dir/input_receiver_report.cpp.o -c /<>/src/client/lttng/input_receiver_report.cpp during RTL pass: reload /<>/src/client/lttng/input_receiver_report.cpp: In member function ‘mir::client::lttng::InputReceiverReport::report_touch(MirInputEvent const*) const’: /<>/src/client/lttng/input_receiver_report.cpp:80:1: internal compiler error: maximum number of generated reload insns per insn achieved (90) 80 | } | ^ 0x7fedb2989fcf __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 0x7fedb298a07c __libc_start_main_impl ../csu/libc-start.c:409 Please submit a full bug report, with preprocessed source if appropriate. Please include the complete backtrace with any bug report. See for instructions. ** Summary changed: - [jammy] FTBFS with boost + [jammy] FTBFS, gcc ICE? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to mir in Ubuntu. https://bugs.launchpad.net/bugs/1953200 Title: [jammy] FTBFS, gcc ICE? Status in mir package in Ubuntu: New Bug description: https://launchpad.net/ubuntu/+source/mir/2.4.1-0ubuntu3 [ 38%] Building CXX object src/client/CMakeFiles/mirclientobjects.dir/event_printer.cpp.o cd /<>/build-amd64/src/client && /usr/bin/c++ -DCLIENT_PLATFORM_VERSION=\"MIR_CLIENT_PLATFORM_5\" -DEGL_NO_X11 -DLOG_NDEBUG=1 -DLTTNG_UST_HAVE_SDT_INTEGRATION -DMESA_EGL_NO_X11_HEADERS -DMIR_CLIENT_PLATFORM_PATH=\"/usr/lib/x86_64-linux-gnu/mir/client-platform/\" -DMIR_DRMMODEADDFB_HAS_CONST_SIGNATURE -DMIR_LOG_COMPONENT_FALLBACK=\"mirclient\" -DMIR_VERSION_MAJOR=2 -DMIR_VERSION_MICRO=1 -DMIR_VERSION_MINOR=4 -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE -I/<>/include/core -I/<>/include/common -I/<>/include/cookie -I/<>/src/include/common -I/<>/build-amd64/src/capnproto -I/<>/build-amd64/src/protobuf -I/<>/build-amd64/src/client -I/<>/include/platform -I/<>/include/client -I/<>/src/include/client -I/<>/src/include/cookie -I/usr/include/libdrm -g -O2 -ffile-prefix-map=/<>=. -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -pthread -g -std=c++17 -Wall -fno-strict-aliasing -pedantic -Wnon-virtual-dtor -Wextra -fPIC -Werror -Wno-mismatched-tags -Wno-psabi -flto -ffat-lto-objects -std=c++17 -MD -MT src/client/CMakeFiles/mirclientobjects.dir/event_printer.cpp.o -MF CMakeFiles/mirclientobjects.dir/event_printer.cpp.o.d -o CMakeFiles/mirclientobjects.dir/event_printer.cpp.o -c /<>/src/client/event_printer.cpp In file included from /usr/include/boost/bind.hpp:30, from /<>/src/client/rpc/mir_protobuf_rpc_channel.cpp:44: /usr/include/boost/bind.hpp:36:1: note: ‘#pragma message: The practice of declaring the Bind placeholders (_1, _2, ...) in the global namespace is deprecated. Please use + using namespace boost::placeholders, or define BOOST_BIND_GLOBAL_PLACEHOLDERS to retain the current behavior.’ 36 | BOOST_PRAGMA_MESSAGE( | ^~~~ The bug is not reproducible, so it is likely a hardware or OS problem. make[3]: *** [src/client/lttng/CMakeFiles/mirclientlttng-static.dir/build.make:107: src/client/lttng/CMakeFiles/mirclientlttng-static.dir/input_receiver_report.cpp.o] Error 1 make[3]: Leaving directory '/<>/build-amd64' make[2]: *** [CMakeFiles/Makefile2:4657: src/client/lttng/CMakeFiles/mirclientlttng-static.dir/all] Error 2 make[2]: *** Waiting for
[Touch-packages] [Bug 1953065] Re: 2.13.0 FTBFS
Fix was merged usptream, and 2.13.1 contains it. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ust in Ubuntu. https://bugs.launchpad.net/bugs/1953065 Title: 2.13.0 FTBFS Status in LTTng-UST: Unknown Status in ust package in Ubuntu: In Progress Bug description: I tried to merge ust from debian into ubuntu, to fix a build-time dependency, but stumbled on an FTBFS with that version. I filed upstream bug at https://bugs.lttng.org/issues/1337 It basically happens in some new test cases that were added in 2.13.0 and crash when we build it using our default -Wl,-Bsymbolic-flags linker option, which we have been using for years in Ubuntu. Here is the testsuite log output: lttng-ust 2.14.0-pre: tests/test-suite.log # TOTAL: 246 # PASS: 241 # SKIP: 0 # XFAIL: 0 # FAIL: 4 # XPASS: 0 # ERROR: 1 .. contents:: :depth: 2 ERROR: regression/abi0-conflict/test_abi0_conflict == 1..22 # LD_PRELOAD # regression/abi0-conflict/test_abi0_conflict: LD_PRELOAD ok 1 - LD_PRELOAD: no-ust app works PASS: regression/abi0-conflict/test_abi0_conflict 1 - LD_PRELOAD: no-ust app works ok 2 - LD_PRELOAD: no-ust app with abi0 preload succeeds PASS: regression/abi0-conflict/test_abi0_conflict 2 - LD_PRELOAD: no-ust app with abi0 preload succeeds ./regression/abi0-conflict/test_abi0_conflict: line 56: 592651 Aborted (core dumped) LD_PRELOAD="${LIBFAKEUST0}:${LIBUST1}" "${CURDIR}/app_noust" > "$STD_OUTPUT" 2> "$STD_ERROR" ok 3 - LD_PRELOAD: no-ust app with abi0 and abi1 preload fails PASS: regression/abi0-conflict/test_abi0_conflict 3 - LD_PRELOAD: no-ust app with abi0 and abi1 preload fails ./regression/abi0-conflict/test_abi0_conflict: line 59: 592652 Aborted (core dumped) LD_PRELOAD="${LIBUST1}:${LIBFAKEUST0}" "${CURDIR}/app_noust" > "$STD_OUTPUT" 2> "$STD_ERROR" ok 4 - LD_PRELOAD: no-ust app with abi1 and abi0 preload fails PASS: regression/abi0-conflict/test_abi0_conflict 4 - LD_PRELOAD: no-ust app with abi1 and abi0 preload fails ok 5 - LD_PRELOAD: ust app works PASS: regression/abi0-conflict/test_abi0_conflict 5 - LD_PRELOAD: ust app works ./regression/abi0-conflict/test_abi0_conflict: line 68: 592669 Aborted (core dumped) LD_PRELOAD="${LIBFAKEUST0}" "${CURDIR}/app_ust" > "$STD_OUTPUT" 2> "$STD_ERROR" ok 6 - LD_PRELOAD: ust app with abi0 preload fails PASS: regression/abi0-conflict/test_abi0_conflict 6 - LD_PRELOAD: ust app with abi0 preload fails ./regression/abi0-conflict/test_abi0_conflict: line 71: 592683 Aborted (core dumped) LD_PRELOAD="${LIBFAKEUST0}:${LIBUST1}" "${CURDIR}/app_ust" > "$STD_OUTPUT" 2> "$STD_ERROR" ok 7 - LD_PRELOAD: ust app with abi0 and abi1 preload fails PASS: regression/abi0-conflict/test_abi0_conflict 7 - LD_PRELOAD: ust app with abi0 and abi1 preload fails ./regression/abi0-conflict/test_abi0_conflict: line 74: 592684 Aborted (core dumped) LD_PRELOAD="${LIBUST1}:${LIBFAKEUST0}" "${CURDIR}/app_ust" > "$STD_OUTPUT" 2> "$STD_ERROR" ok 8 - LD_PRELOAD: ust app with abi1 and abi0 preload fails PASS: regression/abi0-conflict/test_abi0_conflict 8 - LD_PRELOAD: ust app with abi1 and abi0 preload fails # dlopen # regression/abi0-conflict/test_abi0_conflict: dlopen ok 9 - dlopen: no-ust app works PASS: regression/abi0-conflict/test_abi0_conflict 9 - dlopen: no-ust app works ok 10 - dlopen: no-ust app with abi1 and abi1 succeeds PASS: regression/abi0-conflict/test_abi0_conflict 10 - dlopen: no-ust app with abi1 and abi1 succeeds ./regression/abi0-conflict/test_abi0_conflict: line 92: 592689 Aborted (core dumped) LD_LIBRARY_PATH="$LIBFAKEUST0_PATH:$LIBUST1_PATH" "${CURDIR}/app_noust_dlopen" abi0_abi1 > "$STD_OUTPUT" 2> "$STD_ERROR" ok 11 - dlopen: no-ust app with abi0 and abi1 fails PASS: regression/abi0-conflict/test_abi0_conflict 11 - dlopen: no-ust app with abi0 and abi1 fails not ok 12 - dlopen: no-ust app with abi1 and abi0 fails FAIL: regression/abi0-conflict/test_abi0_conflict 12 - dlopen: no-ust app with abi1 and abi0 fails # Failed test 'dlopen: no-ust app with abi1 and abi0 fails' # regression/abi0-conflict/test_abi0_conflict: Failed test 'dlopen: no-ust app with abi1 and abi0 fails' # in /home/ubuntu/git/packages/ust/lttng-ust/tests/utils/tap.sh:isnt() at line 300. # regression/abi0-conflict/test_abi0_conflict: in /home/ubuntu/git/packages/ust/lttng-ust/tests/utils/tap.sh:isnt() at line 300. # got: '0' # regression/abi0-conflict/test_abi0_conflict: got: '0' # expected: '0' # regression/abi0-conflict/test_abi0_conflict: expected: '0' ok 13 - dlopen: ust app works PASS:
[Touch-packages] [Bug 1823422] Re: heimdal ftbfs in disco
Disco is EOL, and the package builds fine in current devel release. Closing the bug. ** Changed in: heimdal (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to heimdal in Ubuntu. https://bugs.launchpad.net/bugs/1823422 Title: heimdal ftbfs in disco Status in Heimdal: New Status in heimdal package in Ubuntu: Fix Released Status in heimdal package in Debian: Fix Released Bug description: https://launchpadlibrarian.net/417925401/buildlog_ubuntu-disco- amd64.heimdal_7.5.0+dfsg-2.1_BUILDING.txt.gz = Heimdal 7.5.0: lib/hx509/test-suite.log = # TOTAL: 16 # PASS: 15 # SKIP: 0 # XFAIL: 0 # FAIL: 1 # XPASS: 0 # ERROR: 0 .. contents:: :depth: 2 FAIL: test_chain cert -> root cert -> root cert -> root sub-cert -> root sub-cert -> sub-ca -> root sub-cert -> sub-ca sub-cert -> sub-ca -> root sub-cert -> sub-ca -> root sub-cert -> sub-ca -> root max depth 2 (ok) max depth 1 (fail) ocsp non-ca responder ocsp ca responder ocsp no-ca responder, missing cert ocsp no-ca responder, missing cert, in pool ocsp no-ca responder, keyHash ocsp revoked cert ocsp print reply resp1-ocsp-no-cert ocsp print reply resp1-ca ocsp print reply resp1-keyhash ocsp print reply resp2 ocsp verify exists ocsp verify not exists ocsp verify revoked crl non-revoked cert FAIL test_chain (exit status: 1) Testsuite summary for Heimdal 7.5.0 # TOTAL: 16 # PASS: 15 # SKIP: 0 # XFAIL: 0 # FAIL: 1 # XPASS: 0 # ERROR: 0 See lib/hx509/test-suite.log Please report to https://github.com/heimdal/heimdal/issues To manage notifications about this bug go to: https://bugs.launchpad.net/heimdal/+bug/1823422/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1946860] Re: Merge heimdal from Debian unstable for 22.04
** Changed in: heimdal (Ubuntu) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to heimdal in Ubuntu. https://bugs.launchpad.net/bugs/1946860 Title: Merge heimdal from Debian unstable for 22.04 Status in heimdal package in Ubuntu: In Progress Bug description: Upstream: tbd Debian: 7.7.0+dfsg-2 Ubuntu: 7.7.0+dfsg-2ubuntu2 ### New Debian Changes ### heimdal (7.7.0+dfsg-2) unstable; urgency=medium * Build using python3. Closes: #936695, #960032. -- Brian May Tue, 12 May 2020 06:56:04 +1000 heimdal (7.7.0+dfsg-1) unstable; urgency=medium * New upstream version. * Fix CVE-2019-14870: The DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC. Closes: #946786. -- Brian May Tue, 17 Dec 2019 20:23:41 +1100 heimdal (7.5.0+dfsg-3) unstable; urgency=high * CVE-2018-16860: Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum. Closes: #928966. * CVE-2019-12098: Always confirm PA-PKINIT-KX for anon PKINIT. Closes: #929064. * Update test certificates to pre 2038 expiry. Closes: #923930. -- Brian May Tue, 21 May 2019 18:04:35 +1000 heimdal (7.5.0+dfsg-2.1) unstable; urgency=medium * Non-maintainer upload * Add patch to create headers before building (Closes: 906623) -- Hilko Bengen Sun, 28 Oct 2018 15:10:44 +0100 heimdal (7.5.0+dfsg-2) unstable; urgency=medium * Replace 'MAXHOSTNAMELEN' with 'MaxHostNameLen' in kdc/kx509.c for The Hurd. Closes: #900079. -- Brian May Sat, 02 Jun 2018 10:01:46 +1000 heimdal (7.5.0+dfsg-1) unstable; urgency=high * New upstream version. (Closes: #850723) + CVE-2017-17439: Remote unauthenticated DoS in Heimdal-KDC 7.4 (Closes: #878144, #868157) + Refresh patches. * Bump Standards-Version to 4.1.2 and compat level to 10. + Remove explicit reference to dh-autoreconf. * Use uscan to get orig source. + Refrain from mangling some bundled RFC texts; just exclude the mas they are not installed into any binary anyway. + Update d/copyright to DEP-5. + Can now use standard uscan/gbp/pristine-tar workflow. * Fix some lintian errors/warnings. + Strip trailing whitespace from changelog. + Fix some duplicate long descriptions. + Use optional priority everywhere. + Update/remove some overrides. + Enforce set -e in maintainer scripts. + Enable hardening. * Migrate to -dbgsym. * Add myself to uploaders. -- Dominik George Fri, 15 Dec 2017 01:13:04 +0100 heimdal (7.4.0.dfsg.1-2) unstable; urgency=medium [ Jelmer Vernooij ] * Remove myself from uploaders. [ Brian May ] * Be explicit with heimdal.mkey filename in postinst. Closes: #868638. * Tests should respect DEB_BUILD_OPTIONS=nocheck. Closes: #868842. -- Brian May Sun, 23 Jul 2017 10:32:34 +1000 heimdal (7.4.0.dfsg.1-1) unstable; urgency=high * New upstream version. * Update standards version to 4.0.0. * CVE-2017-11103: Fix Orpheus' Lyre KDC-REP service name validation. (Closes: #868208). -- Brian May Sat, 15 Jul 2017 19:47:32 +1000 heimdal (7.1.0+dfsg-13) unstable; urgency=medium * Add missing symbols base64_decode and base64_encode back into libroken. Closes: #848694. -- Brian May Wed, 26 Apr 2017 19:38:20 +1000 heimdal (7.1.0+dfsg-12) unstable; urgency=high * Fix transit path validation CVE-2017-6594. -- Brian May Mon, 10 Apr 2017 17:21:35 +1000 heimdal (7.1.0+dfsg-11) unstable; urgency=medium * Remove legacy provides/conflicts/replaces headers. Old daemons ### Old Ubuntu Delta ### heimdal (7.7.0+dfsg-2ubuntu2) impish; urgency=medium * Remove symbol rk_closefrom@HEIMDAL_ROKEN_1.0 1.4.0+git20110226 (LP: #1945787) -- Heinrich Schuchardt Fri, 01 Oct 2021 15:03:02 +0200 heimdal (7.7.0+dfsg-2ubuntu1) impish; urgency=medium * Disable lto, to regain dep on roken, otherwise dependencies on amd64 are different to i386 resulting in different files on amd64 and i386. LP: #1934936 -- Dimitri John Ledkov Tue, 20 Jul 2021 10:32:53 +0100 heimdal (7.7.0+dfsg-2build1) impish; urgency=medium * No-change rebuild due to OpenLDAP soname bump. -- Sergio Durigan Junior Mon, 21 Jun 2021 17:48:49 -0400 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/1946860/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1946860] Re: Merge heimdal from Debian unstable for 22.04
** Changed in: heimdal (Ubuntu) Milestone: ubuntu-21.11 => ubuntu-21.12 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to heimdal in Ubuntu. https://bugs.launchpad.net/bugs/1946860 Title: Merge heimdal from Debian unstable for 22.04 Status in heimdal package in Ubuntu: New Bug description: Upstream: tbd Debian: 7.7.0+dfsg-2 Ubuntu: 7.7.0+dfsg-2ubuntu2 ### New Debian Changes ### heimdal (7.7.0+dfsg-2) unstable; urgency=medium * Build using python3. Closes: #936695, #960032. -- Brian May Tue, 12 May 2020 06:56:04 +1000 heimdal (7.7.0+dfsg-1) unstable; urgency=medium * New upstream version. * Fix CVE-2019-14870: The DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC. Closes: #946786. -- Brian May Tue, 17 Dec 2019 20:23:41 +1100 heimdal (7.5.0+dfsg-3) unstable; urgency=high * CVE-2018-16860: Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum. Closes: #928966. * CVE-2019-12098: Always confirm PA-PKINIT-KX for anon PKINIT. Closes: #929064. * Update test certificates to pre 2038 expiry. Closes: #923930. -- Brian May Tue, 21 May 2019 18:04:35 +1000 heimdal (7.5.0+dfsg-2.1) unstable; urgency=medium * Non-maintainer upload * Add patch to create headers before building (Closes: 906623) -- Hilko Bengen Sun, 28 Oct 2018 15:10:44 +0100 heimdal (7.5.0+dfsg-2) unstable; urgency=medium * Replace 'MAXHOSTNAMELEN' with 'MaxHostNameLen' in kdc/kx509.c for The Hurd. Closes: #900079. -- Brian May Sat, 02 Jun 2018 10:01:46 +1000 heimdal (7.5.0+dfsg-1) unstable; urgency=high * New upstream version. (Closes: #850723) + CVE-2017-17439: Remote unauthenticated DoS in Heimdal-KDC 7.4 (Closes: #878144, #868157) + Refresh patches. * Bump Standards-Version to 4.1.2 and compat level to 10. + Remove explicit reference to dh-autoreconf. * Use uscan to get orig source. + Refrain from mangling some bundled RFC texts; just exclude the mas they are not installed into any binary anyway. + Update d/copyright to DEP-5. + Can now use standard uscan/gbp/pristine-tar workflow. * Fix some lintian errors/warnings. + Strip trailing whitespace from changelog. + Fix some duplicate long descriptions. + Use optional priority everywhere. + Update/remove some overrides. + Enforce set -e in maintainer scripts. + Enable hardening. * Migrate to -dbgsym. * Add myself to uploaders. -- Dominik George Fri, 15 Dec 2017 01:13:04 +0100 heimdal (7.4.0.dfsg.1-2) unstable; urgency=medium [ Jelmer Vernooij ] * Remove myself from uploaders. [ Brian May ] * Be explicit with heimdal.mkey filename in postinst. Closes: #868638. * Tests should respect DEB_BUILD_OPTIONS=nocheck. Closes: #868842. -- Brian May Sun, 23 Jul 2017 10:32:34 +1000 heimdal (7.4.0.dfsg.1-1) unstable; urgency=high * New upstream version. * Update standards version to 4.0.0. * CVE-2017-11103: Fix Orpheus' Lyre KDC-REP service name validation. (Closes: #868208). -- Brian May Sat, 15 Jul 2017 19:47:32 +1000 heimdal (7.1.0+dfsg-13) unstable; urgency=medium * Add missing symbols base64_decode and base64_encode back into libroken. Closes: #848694. -- Brian May Wed, 26 Apr 2017 19:38:20 +1000 heimdal (7.1.0+dfsg-12) unstable; urgency=high * Fix transit path validation CVE-2017-6594. -- Brian May Mon, 10 Apr 2017 17:21:35 +1000 heimdal (7.1.0+dfsg-11) unstable; urgency=medium * Remove legacy provides/conflicts/replaces headers. Old daemons ### Old Ubuntu Delta ### heimdal (7.7.0+dfsg-2ubuntu2) impish; urgency=medium * Remove symbol rk_closefrom@HEIMDAL_ROKEN_1.0 1.4.0+git20110226 (LP: #1945787) -- Heinrich Schuchardt Fri, 01 Oct 2021 15:03:02 +0200 heimdal (7.7.0+dfsg-2ubuntu1) impish; urgency=medium * Disable lto, to regain dep on roken, otherwise dependencies on amd64 are different to i386 resulting in different files on amd64 and i386. LP: #1934936 -- Dimitri John Ledkov Tue, 20 Jul 2021 10:32:53 +0100 heimdal (7.7.0+dfsg-2build1) impish; urgency=medium * No-change rebuild due to OpenLDAP soname bump. -- Sergio Durigan Junior Mon, 21 Jun 2021 17:48:49 -0400 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/1946860/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1953200] Re: [jammy] FTBFS with boost
** Tags removed: update-excuses ** Tags added: update-excuse -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to mir in Ubuntu. https://bugs.launchpad.net/bugs/1953200 Title: [jammy] FTBFS with boost Status in mir package in Ubuntu: New Bug description: https://launchpad.net/ubuntu/+source/mir/2.4.1-0ubuntu3 [ 38%] Building CXX object src/client/CMakeFiles/mirclientobjects.dir/event_printer.cpp.o cd /<>/build-amd64/src/client && /usr/bin/c++ -DCLIENT_PLATFORM_VERSION=\"MIR_CLIENT_PLATFORM_5\" -DEGL_NO_X11 -DLOG_NDEBUG=1 -DLTTNG_UST_HAVE_SDT_INTEGRATION -DMESA_EGL_NO_X11_HEADERS -DMIR_CLIENT_PLATFORM_PATH=\"/usr/lib/x86_64-linux-gnu/mir/client-platform/\" -DMIR_DRMMODEADDFB_HAS_CONST_SIGNATURE -DMIR_LOG_COMPONENT_FALLBACK=\"mirclient\" -DMIR_VERSION_MAJOR=2 -DMIR_VERSION_MICRO=1 -DMIR_VERSION_MINOR=4 -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE -I/<>/include/core -I/<>/include/common -I/<>/include/cookie -I/<>/src/include/common -I/<>/build-amd64/src/capnproto -I/<>/build-amd64/src/protobuf -I/<>/build-amd64/src/client -I/<>/include/platform -I/<>/include/client -I/<>/src/include/client -I/<>/src/include/cookie -I/usr/include/libdrm -g -O2 -ffile-prefix-map=/<>=. -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -pthread -g -std=c++17 -Wall -fno-strict-aliasing -pedantic -Wnon-virtual-dtor -Wextra -fPIC -Werror -Wno-mismatched-tags -Wno-psabi -flto -ffat-lto-objects -std=c++17 -MD -MT src/client/CMakeFiles/mirclientobjects.dir/event_printer.cpp.o -MF CMakeFiles/mirclientobjects.dir/event_printer.cpp.o.d -o CMakeFiles/mirclientobjects.dir/event_printer.cpp.o -c /<>/src/client/event_printer.cpp In file included from /usr/include/boost/bind.hpp:30, from /<>/src/client/rpc/mir_protobuf_rpc_channel.cpp:44: /usr/include/boost/bind.hpp:36:1: note: ‘#pragma message: The practice of declaring the Bind placeholders (_1, _2, ...) in the global namespace is deprecated. Please use + using namespace boost::placeholders, or define BOOST_BIND_GLOBAL_PLACEHOLDERS to retain the current behavior.’ 36 | BOOST_PRAGMA_MESSAGE( | ^~~~ The bug is not reproducible, so it is likely a hardware or OS problem. make[3]: *** [src/client/lttng/CMakeFiles/mirclientlttng-static.dir/build.make:107: src/client/lttng/CMakeFiles/mirclientlttng-static.dir/input_receiver_report.cpp.o] Error 1 make[3]: Leaving directory '/<>/build-amd64' make[2]: *** [CMakeFiles/Makefile2:4657: src/client/lttng/CMakeFiles/mirclientlttng-static.dir/all] Error 2 make[2]: *** Waiting for unfinished jobs Possibly relevant, this seems to be using boost 1.74.0-13ubuntu1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mir/+bug/1953200/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1953200] [NEW] [jammy] FTBFS with boost
Public bug reported: https://launchpad.net/ubuntu/+source/mir/2.4.1-0ubuntu3 [ 38%] Building CXX object src/client/CMakeFiles/mirclientobjects.dir/event_printer.cpp.o cd /<>/build-amd64/src/client && /usr/bin/c++ -DCLIENT_PLATFORM_VERSION=\"MIR_CLIENT_PLATFORM_5\" -DEGL_NO_X11 -DLOG_NDEBUG=1 -DLTTNG_UST_HAVE_SDT_INTEGRATION -DMESA_EGL_NO_X11_HEADERS -DMIR_CLIENT_PLATFORM_PATH=\"/usr/lib/x86_64-linux-gnu/mir/client-platform/\" -DMIR_DRMMODEADDFB_HAS_CONST_SIGNATURE -DMIR_LOG_COMPONENT_FALLBACK=\"mirclient\" -DMIR_VERSION_MAJOR=2 -DMIR_VERSION_MICRO=1 -DMIR_VERSION_MINOR=4 -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE -I/<>/include/core -I/<>/include/common -I/<>/include/cookie -I/<>/src/include/common -I/<>/build-amd64/src/capnproto -I/<>/build-amd64/src/protobuf -I/<>/build-amd64/src/client -I/<>/include/platform -I/<>/include/client -I/<>/src/include/client -I/<>/src/include/cookie -I/usr/include/libdrm -g -O2 -ffile-prefix-map=/<>=. -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -pthread -g -std=c++17 -Wall -fno-strict-aliasing -pedantic -Wnon-virtual-dtor -Wextra -fPIC -Werror -Wno-mismatched-tags -Wno-psabi -flto -ffat-lto-objects -std=c++17 -MD -MT src/client/CMakeFiles/mirclientobjects.dir/event_printer.cpp.o -MF CMakeFiles/mirclientobjects.dir/event_printer.cpp.o.d -o CMakeFiles/mirclientobjects.dir/event_printer.cpp.o -c /<>/src/client/event_printer.cpp In file included from /usr/include/boost/bind.hpp:30, from /<>/src/client/rpc/mir_protobuf_rpc_channel.cpp:44: /usr/include/boost/bind.hpp:36:1: note: ‘#pragma message: The practice of declaring the Bind placeholders (_1, _2, ...) in the global namespace is deprecated. Please use + using namespace boost::placeholders, or define BOOST_BIND_GLOBAL_PLACEHOLDERS to retain the current behavior.’ 36 | BOOST_PRAGMA_MESSAGE( | ^~~~ The bug is not reproducible, so it is likely a hardware or OS problem. make[3]: *** [src/client/lttng/CMakeFiles/mirclientlttng-static.dir/build.make:107: src/client/lttng/CMakeFiles/mirclientlttng-static.dir/input_receiver_report.cpp.o] Error 1 make[3]: Leaving directory '/<>/build-amd64' make[2]: *** [CMakeFiles/Makefile2:4657: src/client/lttng/CMakeFiles/mirclientlttng-static.dir/all] Error 2 make[2]: *** Waiting for unfinished jobs Possibly relevant, this seems to be using boost 1.74.0-13ubuntu1 ** Affects: mir (Ubuntu) Importance: Undecided Status: New ** Tags: ftbfs update-excuses -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to mir in Ubuntu. https://bugs.launchpad.net/bugs/1953200 Title: [jammy] FTBFS with boost Status in mir package in Ubuntu: New Bug description: https://launchpad.net/ubuntu/+source/mir/2.4.1-0ubuntu3 [ 38%] Building CXX object src/client/CMakeFiles/mirclientobjects.dir/event_printer.cpp.o cd /<>/build-amd64/src/client && /usr/bin/c++ -DCLIENT_PLATFORM_VERSION=\"MIR_CLIENT_PLATFORM_5\" -DEGL_NO_X11 -DLOG_NDEBUG=1 -DLTTNG_UST_HAVE_SDT_INTEGRATION -DMESA_EGL_NO_X11_HEADERS -DMIR_CLIENT_PLATFORM_PATH=\"/usr/lib/x86_64-linux-gnu/mir/client-platform/\" -DMIR_DRMMODEADDFB_HAS_CONST_SIGNATURE -DMIR_LOG_COMPONENT_FALLBACK=\"mirclient\" -DMIR_VERSION_MAJOR=2 -DMIR_VERSION_MICRO=1 -DMIR_VERSION_MINOR=4 -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE -I/<>/include/core -I/<>/include/common -I/<>/include/cookie -I/<>/src/include/common -I/<>/build-amd64/src/capnproto -I/<>/build-amd64/src/protobuf -I/<>/build-amd64/src/client -I/<>/include/platform -I/<>/include/client -I/<>/src/include/client -I/<>/src/include/cookie -I/usr/include/libdrm -g -O2 -ffile-prefix-map=/<>=. -flto=auto -ffat-lto-objects -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -pthread -g -std=c++17 -Wall -fno-strict-aliasing -pedantic -Wnon-virtual-dtor -Wextra -fPIC -Werror -Wno-mismatched-tags -Wno-psabi -flto -ffat-lto-objects -std=c++17 -MD -MT src/client/CMakeFiles/mirclientobjects.dir/event_printer.cpp.o -MF CMakeFiles/mirclientobjects.dir/event_printer.cpp.o.d -o CMakeFiles/mirclientobjects.dir/event_printer.cpp.o -c /<>/src/client/event_printer.cpp In file included from /usr/include/boost/bind.hpp:30, from /<>/src/client/rpc/mir_protobuf_rpc_channel.cpp:44: /usr/include/boost/bind.hpp:36:1: note: ‘#pragma message: The practice of declaring the Bind placeholders (_1, _2, ...) in the global namespace is deprecated. Please use + using namespace boost::placeholders, or define BOOST_BIND_GLOBAL_PLACEHOLDERS to retain the current behavior.’ 36 | BOOST_PRAGMA_MESSAGE( | ^~~~ The bug is not reproducible, so it is likely a hardware or OS problem. make[3]: *** [src/client/lttng/CMakeFiles/mirclientlttng-static.dir/build.make:107:
[Touch-packages] [Bug 1953065] Re: 2.13.0 FTBFS
** Changed in: ust (Ubuntu) Assignee: (unassigned) => Andreas Hasenack (ahasenack) ** Changed in: ust (Ubuntu) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ust in Ubuntu. https://bugs.launchpad.net/bugs/1953065 Title: 2.13.0 FTBFS Status in LTTng-UST: Unknown Status in ust package in Ubuntu: In Progress Bug description: I tried to merge ust from debian into ubuntu, to fix a build-time dependency, but stumbled on an FTBFS with that version. I filed upstream bug at https://bugs.lttng.org/issues/1337 It basically happens in some new test cases that were added in 2.13.0 and crash when we build it using our default -Wl,-Bsymbolic-flags linker option, which we have been using for years in Ubuntu. Here is the testsuite log output: lttng-ust 2.14.0-pre: tests/test-suite.log # TOTAL: 246 # PASS: 241 # SKIP: 0 # XFAIL: 0 # FAIL: 4 # XPASS: 0 # ERROR: 1 .. contents:: :depth: 2 ERROR: regression/abi0-conflict/test_abi0_conflict == 1..22 # LD_PRELOAD # regression/abi0-conflict/test_abi0_conflict: LD_PRELOAD ok 1 - LD_PRELOAD: no-ust app works PASS: regression/abi0-conflict/test_abi0_conflict 1 - LD_PRELOAD: no-ust app works ok 2 - LD_PRELOAD: no-ust app with abi0 preload succeeds PASS: regression/abi0-conflict/test_abi0_conflict 2 - LD_PRELOAD: no-ust app with abi0 preload succeeds ./regression/abi0-conflict/test_abi0_conflict: line 56: 592651 Aborted (core dumped) LD_PRELOAD="${LIBFAKEUST0}:${LIBUST1}" "${CURDIR}/app_noust" > "$STD_OUTPUT" 2> "$STD_ERROR" ok 3 - LD_PRELOAD: no-ust app with abi0 and abi1 preload fails PASS: regression/abi0-conflict/test_abi0_conflict 3 - LD_PRELOAD: no-ust app with abi0 and abi1 preload fails ./regression/abi0-conflict/test_abi0_conflict: line 59: 592652 Aborted (core dumped) LD_PRELOAD="${LIBUST1}:${LIBFAKEUST0}" "${CURDIR}/app_noust" > "$STD_OUTPUT" 2> "$STD_ERROR" ok 4 - LD_PRELOAD: no-ust app with abi1 and abi0 preload fails PASS: regression/abi0-conflict/test_abi0_conflict 4 - LD_PRELOAD: no-ust app with abi1 and abi0 preload fails ok 5 - LD_PRELOAD: ust app works PASS: regression/abi0-conflict/test_abi0_conflict 5 - LD_PRELOAD: ust app works ./regression/abi0-conflict/test_abi0_conflict: line 68: 592669 Aborted (core dumped) LD_PRELOAD="${LIBFAKEUST0}" "${CURDIR}/app_ust" > "$STD_OUTPUT" 2> "$STD_ERROR" ok 6 - LD_PRELOAD: ust app with abi0 preload fails PASS: regression/abi0-conflict/test_abi0_conflict 6 - LD_PRELOAD: ust app with abi0 preload fails ./regression/abi0-conflict/test_abi0_conflict: line 71: 592683 Aborted (core dumped) LD_PRELOAD="${LIBFAKEUST0}:${LIBUST1}" "${CURDIR}/app_ust" > "$STD_OUTPUT" 2> "$STD_ERROR" ok 7 - LD_PRELOAD: ust app with abi0 and abi1 preload fails PASS: regression/abi0-conflict/test_abi0_conflict 7 - LD_PRELOAD: ust app with abi0 and abi1 preload fails ./regression/abi0-conflict/test_abi0_conflict: line 74: 592684 Aborted (core dumped) LD_PRELOAD="${LIBUST1}:${LIBFAKEUST0}" "${CURDIR}/app_ust" > "$STD_OUTPUT" 2> "$STD_ERROR" ok 8 - LD_PRELOAD: ust app with abi1 and abi0 preload fails PASS: regression/abi0-conflict/test_abi0_conflict 8 - LD_PRELOAD: ust app with abi1 and abi0 preload fails # dlopen # regression/abi0-conflict/test_abi0_conflict: dlopen ok 9 - dlopen: no-ust app works PASS: regression/abi0-conflict/test_abi0_conflict 9 - dlopen: no-ust app works ok 10 - dlopen: no-ust app with abi1 and abi1 succeeds PASS: regression/abi0-conflict/test_abi0_conflict 10 - dlopen: no-ust app with abi1 and abi1 succeeds ./regression/abi0-conflict/test_abi0_conflict: line 92: 592689 Aborted (core dumped) LD_LIBRARY_PATH="$LIBFAKEUST0_PATH:$LIBUST1_PATH" "${CURDIR}/app_noust_dlopen" abi0_abi1 > "$STD_OUTPUT" 2> "$STD_ERROR" ok 11 - dlopen: no-ust app with abi0 and abi1 fails PASS: regression/abi0-conflict/test_abi0_conflict 11 - dlopen: no-ust app with abi0 and abi1 fails not ok 12 - dlopen: no-ust app with abi1 and abi0 fails FAIL: regression/abi0-conflict/test_abi0_conflict 12 - dlopen: no-ust app with abi1 and abi0 fails # Failed test 'dlopen: no-ust app with abi1 and abi0 fails' # regression/abi0-conflict/test_abi0_conflict: Failed test 'dlopen: no-ust app with abi1 and abi0 fails' # in /home/ubuntu/git/packages/ust/lttng-ust/tests/utils/tap.sh:i
[Touch-packages] [Bug 1953065] [NEW] 2.13.0 FTBFS
Public bug reported: I tried to merge ust from debian into ubuntu, to fix a build-time dependency, but stumbled on an FTBFS with that version. I filed upstream bug at https://bugs.lttng.org/issues/1337 It basically happens in some new test cases that were added in 2.13.0 and crash when we build it using our default -Wl,-Bsymbolic-flags linker option, which we have been using for years in Ubuntu. Here is the testsuite log output: lttng-ust 2.14.0-pre: tests/test-suite.log # TOTAL: 246 # PASS: 241 # SKIP: 0 # XFAIL: 0 # FAIL: 4 # XPASS: 0 # ERROR: 1 .. contents:: :depth: 2 ERROR: regression/abi0-conflict/test_abi0_conflict == 1..22 # LD_PRELOAD # regression/abi0-conflict/test_abi0_conflict: LD_PRELOAD ok 1 - LD_PRELOAD: no-ust app works PASS: regression/abi0-conflict/test_abi0_conflict 1 - LD_PRELOAD: no-ust app works ok 2 - LD_PRELOAD: no-ust app with abi0 preload succeeds PASS: regression/abi0-conflict/test_abi0_conflict 2 - LD_PRELOAD: no-ust app with abi0 preload succeeds ./regression/abi0-conflict/test_abi0_conflict: line 56: 592651 Aborted (core dumped) LD_PRELOAD="${LIBFAKEUST0}:${LIBUST1}" "${CURDIR}/app_noust" > "$STD_OUTPUT" 2> "$STD_ERROR" ok 3 - LD_PRELOAD: no-ust app with abi0 and abi1 preload fails PASS: regression/abi0-conflict/test_abi0_conflict 3 - LD_PRELOAD: no-ust app with abi0 and abi1 preload fails ./regression/abi0-conflict/test_abi0_conflict: line 59: 592652 Aborted (core dumped) LD_PRELOAD="${LIBUST1}:${LIBFAKEUST0}" "${CURDIR}/app_noust" > "$STD_OUTPUT" 2> "$STD_ERROR" ok 4 - LD_PRELOAD: no-ust app with abi1 and abi0 preload fails PASS: regression/abi0-conflict/test_abi0_conflict 4 - LD_PRELOAD: no-ust app with abi1 and abi0 preload fails ok 5 - LD_PRELOAD: ust app works PASS: regression/abi0-conflict/test_abi0_conflict 5 - LD_PRELOAD: ust app works ./regression/abi0-conflict/test_abi0_conflict: line 68: 592669 Aborted (core dumped) LD_PRELOAD="${LIBFAKEUST0}" "${CURDIR}/app_ust" > "$STD_OUTPUT" 2> "$STD_ERROR" ok 6 - LD_PRELOAD: ust app with abi0 preload fails PASS: regression/abi0-conflict/test_abi0_conflict 6 - LD_PRELOAD: ust app with abi0 preload fails ./regression/abi0-conflict/test_abi0_conflict: line 71: 592683 Aborted (core dumped) LD_PRELOAD="${LIBFAKEUST0}:${LIBUST1}" "${CURDIR}/app_ust" > "$STD_OUTPUT" 2> "$STD_ERROR" ok 7 - LD_PRELOAD: ust app with abi0 and abi1 preload fails PASS: regression/abi0-conflict/test_abi0_conflict 7 - LD_PRELOAD: ust app with abi0 and abi1 preload fails ./regression/abi0-conflict/test_abi0_conflict: line 74: 592684 Aborted (core dumped) LD_PRELOAD="${LIBUST1}:${LIBFAKEUST0}" "${CURDIR}/app_ust" > "$STD_OUTPUT" 2> "$STD_ERROR" ok 8 - LD_PRELOAD: ust app with abi1 and abi0 preload fails PASS: regression/abi0-conflict/test_abi0_conflict 8 - LD_PRELOAD: ust app with abi1 and abi0 preload fails # dlopen # regression/abi0-conflict/test_abi0_conflict: dlopen ok 9 - dlopen: no-ust app works PASS: regression/abi0-conflict/test_abi0_conflict 9 - dlopen: no-ust app works ok 10 - dlopen: no-ust app with abi1 and abi1 succeeds PASS: regression/abi0-conflict/test_abi0_conflict 10 - dlopen: no-ust app with abi1 and abi1 succeeds ./regression/abi0-conflict/test_abi0_conflict: line 92: 592689 Aborted (core dumped) LD_LIBRARY_PATH="$LIBFAKEUST0_PATH:$LIBUST1_PATH" "${CURDIR}/app_noust_dlopen" abi0_abi1 > "$STD_OUTPUT" 2> "$STD_ERROR" ok 11 - dlopen: no-ust app with abi0 and abi1 fails PASS: regression/abi0-conflict/test_abi0_conflict 11 - dlopen: no-ust app with abi0 and abi1 fails not ok 12 - dlopen: no-ust app with abi1 and abi0 fails FAIL: regression/abi0-conflict/test_abi0_conflict 12 - dlopen: no-ust app with abi1 and abi0 fails # Failed test 'dlopen: no-ust app with abi1 and abi0 fails' # regression/abi0-conflict/test_abi0_conflict: Failed test 'dlopen: no-ust app with abi1 and abi0 fails' # in /home/ubuntu/git/packages/ust/lttng-ust/tests/utils/tap.sh:isnt() at line 300. # regression/abi0-conflict/test_abi0_conflict: in /home/ubuntu/git/packages/ust/lttng-ust/tests/utils/tap.sh:isnt() at line 300. # got: '0' # regression/abi0-conflict/test_abi0_conflict: got: '0' # expected: '0' # regression/abi0-conflict/test_abi0_conflict: expected: '0' ok 13 - dlopen: ust app works PASS: regression/abi0-conflict/test_abi0_conflict 13 - dlopen: ust app works not ok 14 - dlopen: ust app with abi0 fails FAIL: regression/abi0-conflict/test_abi0_conflict 14 - dlopen: ust app with abi0 fails # Failed test 'dlopen: ust app with abi0 fails' # regression/abi0-conflict/test_abi0_conflict: Failed test 'dlopen: ust app with abi0 fails' # in /home/ubuntu/git/packages/ust/lttng-ust/tests/utils/tap.sh:isnt() at line 300. # regression/abi0-conflict/test_abi0_conflict: in
[Touch-packages] [Bug 1952242] Re: [jammy] missing rules for samba profile
While working on this bug, I noticed that not all built profiles are being installed, and dh_missing is complaining. I filed https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1952632 for that, as I'm way too deep in this rabbit hole already. ** Changed in: apparmor (Ubuntu) Status: New => In Progress ** Changed in: apparmor (Ubuntu) Assignee: (unassigned) => Andreas Hasenack (ahasenack) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1952242 Title: [jammy] missing rules for samba profile Status in apparmor package in Ubuntu: In Progress Bug description: ubuntu jammy apparmor-profiles 3.0.3-0ubuntu3 samba 2:4.13.5+dfsg-2ubuntu3 smbd: Nov 25 14:59:56 jammy-samba-apparmor systemd[1]: Starting Samba SMB Daemon... Nov 25 14:59:56 jammy-samba-apparmor kernel: [ 227.586080] audit: type=1400 audit(1637852396.969:77): apparmor="ALLOWED" operation="capable" profile="smbd" pid=1094 comm="smbd" capability=12 capname="net_admin" Nov 25 14:59:56 jammy-samba-apparmor kernel: [ 227.586241] audit: type=1400 audit(1637852396.969:78): apparmor="ALLOWED" operation="sendmsg" profile="smbd" name="/run/systemd/notify" pid=1094 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 Nov 25 14:59:56 jammy-samba-apparmor kernel: [ 227.592258] audit: type=1400 audit(1637852396.977:79): apparmor="ALLOWED" operation="open" profile="smbd" name="/proc/sys/kernel/osrelease" pid=1094 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Nov 25 14:59:56 jammy-samba-apparmor kernel: [ 227.592460] audit: type=1400 audit(1637852396.977:80): apparmor="ALLOWED" operation="open" profile="smbd" name="/proc/1/environ" pid=1094 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Nov 25 14:59:56 jammy-samba-apparmor kernel: [ 227.592532] audit: type=1400 audit(1637852396.977:81): apparmor="ALLOWED" operation="ptrace" profile="smbd" pid=1094 comm="smbd" requested_mask="read" denied_mask="read" peer="unconfined" Nov 25 14:59:56 jammy-samba-apparmor kernel: [ 227.592683] audit: type=1400 audit(1637852396.977:82): apparmor="ALLOWED" operation="open" profile="smbd" name="/proc/cmdline" pid=1094 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Nov 25 14:59:56 jammy-samba-apparmor kernel: [ 227.600378] audit: type=1400 audit(1637852396.985:83): apparmor="ALLOWED" operation="sendmsg" profile="smbd" name="/run/systemd/notify" pid=1094 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 nmbd: Nov 25 14:59:26 jammy-samba-apparmor systemd[1]: Starting Samba NMB Daemon... Nov 25 14:59:26 jammy-samba-apparmor kernel: [ 196.718721] audit: type=1400 audit(1637852366.105:76): apparmor="ALLOWED" operation="capable" profile="nmbd" pid=1067 comm="nmbd" capability=1 2 capname="net_admin" The systemd notify one for smbd was first fixed for nmbd in https://gitlab.com/apparmor/apparmor/-/merge_requests/236 for nmbd, but smbd was missed. net_admin might be https://github.com/systemd/systemd/pull/10085, I didn't check if jammy's systemd has that patch (it should, since it's old) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1952242/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1952632] [NEW] Some profiles installed but not included in debs
Public bug reported: dh_missing is flagging some profiles that are installed by the Makefile, but not included in debs: $ cat ../build.log | grep dh_missing | grep -v /local/ | grep etc/apparmor\\.d dh_missing: warning: etc/apparmor.d/php-fpm exists in debian/tmp but is not installed to anywhere dh_missing: warning: etc/apparmor.d/tunables/ntpd exists in debian/tmp but is not installed to anywhere dh_missing: warning: etc/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 exists in debian/tmp but is not installed to anywhere dh_missing: warning: etc/apparmor.d/usr.lib.dovecot.stats exists in debian/tmp but is not installed to anywhere dh_missing: warning: etc/apparmor.d/usr.sbin.ntpd exists in debian/tmp but is not installed to anywhere dh_missing: warning: etc/apparmor.d/usr.sbin.winbindd exists in debian/tmp but is not installed to anywhere ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1952632 Title: Some profiles installed but not included in debs Status in apparmor package in Ubuntu: New Bug description: dh_missing is flagging some profiles that are installed by the Makefile, but not included in debs: $ cat ../build.log | grep dh_missing | grep -v /local/ | grep etc/apparmor\\.d dh_missing: warning: etc/apparmor.d/php-fpm exists in debian/tmp but is not installed to anywhere dh_missing: warning: etc/apparmor.d/tunables/ntpd exists in debian/tmp but is not installed to anywhere dh_missing: warning: etc/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 exists in debian/tmp but is not installed to anywhere dh_missing: warning: etc/apparmor.d/usr.lib.dovecot.stats exists in debian/tmp but is not installed to anywhere dh_missing: warning: etc/apparmor.d/usr.sbin.ntpd exists in debian/tmp but is not installed to anywhere dh_missing: warning: etc/apparmor.d/usr.sbin.winbindd exists in debian/tmp but is not installed to anywhere To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1952632/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1952242] Re: [jammy] missing rules for samba profile
I'm having to add the following just to allow samba to be started by systemd, and I'm still missing net_admin capa, which I'm reluctant to add: --- a/profiles/apparmor.d/usr.sbin.smbd +++ b/profiles/apparmor.d/usr.sbin.smbd @@ -24,12 +24,22 @@ capability sys_resource, capability sys_tty_config, + # when started by systemd + ptrace read peer=unconfined, + /etc/mtab r, /etc/netgroup r, /etc/printcap r, /etc/samba/* rwk, @{PROC}/@{pid}/mounts r, @{PROC}/sys/kernel/core_pattern r, + + # https://gitlab.com/apparmor/apparmor/-/issues/203 + # needed when smbd is started by systemd + @{PROC}/1/environ r, + @{PROC}/cmdline r, + @{PROC}/sys/kernel/osrelease r, + /usr/lib*/samba/vfs/*.so mr, /usr/lib*/samba/auth/*.so mr, /usr/lib*/samba/charset/*.so mr, @@ -51,6 +61,8 @@ @{run}/samba/ncalrpc/ rw, @{run}/samba/ncalrpc/** rw, @{run}/samba/smbd.pid rw, + # when started by systemd + @{run}/systemd/notify w, /var/spool/samba/** rw, @{HOMEDIRS}/** lrwk, With the above, I only get this alert now: [Mon Nov 29 14:18:54 2021] audit: type=1400 audit(1638195535.664:42): apparmor="ALLOWED" operation="capable" profile="smbd" pid=1046 comm="smbd" capability=12 capname="net_admin" And only when starting smbd with systemd. Looks like we will have to live with that one, if I understood the comments in the usptream bug correctly. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1952242 Title: [jammy] missing rules for samba profile Status in apparmor package in Ubuntu: New Bug description: ubuntu jammy apparmor-profiles 3.0.3-0ubuntu3 samba 2:4.13.5+dfsg-2ubuntu3 smbd: Nov 25 14:59:56 jammy-samba-apparmor systemd[1]: Starting Samba SMB Daemon... Nov 25 14:59:56 jammy-samba-apparmor kernel: [ 227.586080] audit: type=1400 audit(1637852396.969:77): apparmor="ALLOWED" operation="capable" profile="smbd" pid=1094 comm="smbd" capability=12 capname="net_admin" Nov 25 14:59:56 jammy-samba-apparmor kernel: [ 227.586241] audit: type=1400 audit(1637852396.969:78): apparmor="ALLOWED" operation="sendmsg" profile="smbd" name="/run/systemd/notify" pid=1094 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 Nov 25 14:59:56 jammy-samba-apparmor kernel: [ 227.592258] audit: type=1400 audit(1637852396.977:79): apparmor="ALLOWED" operation="open" profile="smbd" name="/proc/sys/kernel/osrelease" pid=1094 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Nov 25 14:59:56 jammy-samba-apparmor kernel: [ 227.592460] audit: type=1400 audit(1637852396.977:80): apparmor="ALLOWED" operation="open" profile="smbd" name="/proc/1/environ" pid=1094 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Nov 25 14:59:56 jammy-samba-apparmor kernel: [ 227.592532] audit: type=1400 audit(1637852396.977:81): apparmor="ALLOWED" operation="ptrace" profile="smbd" pid=1094 comm="smbd" requested_mask="read" denied_mask="read" peer="unconfined" Nov 25 14:59:56 jammy-samba-apparmor kernel: [ 227.592683] audit: type=1400 audit(1637852396.977:82): apparmor="ALLOWED" operation="open" profile="smbd" name="/proc/cmdline" pid=1094 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Nov 25 14:59:56 jammy-samba-apparmor kernel: [ 227.600378] audit: type=1400 audit(1637852396.985:83): apparmor="ALLOWED" operation="sendmsg" profile="smbd" name="/run/systemd/notify" pid=1094 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 nmbd: Nov 25 14:59:26 jammy-samba-apparmor systemd[1]: Starting Samba NMB Daemon... Nov 25 14:59:26 jammy-samba-apparmor kernel: [ 196.718721] audit: type=1400 audit(1637852366.105:76): apparmor="ALLOWED" operation="capable" profile="nmbd" pid=1067 comm="nmbd" capability=1 2 capname="net_admin" The systemd notify one for smbd was first fixed for nmbd in https://gitlab.com/apparmor/apparmor/-/merge_requests/236 for nmbd, but smbd was missed. net_admin might be https://github.com/systemd/systemd/pull/10085, I didn't check if jammy's systemd has that patch (it should, since it's old) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1952242/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1952242] Re: [jammy] missing rules for samba profile
Related: https://gitlab.com/apparmor/apparmor/-/issues/203 ** Bug watch added: gitlab.com/apparmor/apparmor/-/issues #203 https://gitlab.com/apparmor/apparmor/-/issues/203 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1952242 Title: [jammy] missing rules for samba profile Status in apparmor package in Ubuntu: New Bug description: ubuntu jammy apparmor-profiles 3.0.3-0ubuntu3 samba 2:4.13.5+dfsg-2ubuntu3 smbd: Nov 25 14:59:56 jammy-samba-apparmor systemd[1]: Starting Samba SMB Daemon... Nov 25 14:59:56 jammy-samba-apparmor kernel: [ 227.586080] audit: type=1400 audit(1637852396.969:77): apparmor="ALLOWED" operation="capable" profile="smbd" pid=1094 comm="smbd" capability=12 capname="net_admin" Nov 25 14:59:56 jammy-samba-apparmor kernel: [ 227.586241] audit: type=1400 audit(1637852396.969:78): apparmor="ALLOWED" operation="sendmsg" profile="smbd" name="/run/systemd/notify" pid=1094 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 Nov 25 14:59:56 jammy-samba-apparmor kernel: [ 227.592258] audit: type=1400 audit(1637852396.977:79): apparmor="ALLOWED" operation="open" profile="smbd" name="/proc/sys/kernel/osrelease" pid=1094 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Nov 25 14:59:56 jammy-samba-apparmor kernel: [ 227.592460] audit: type=1400 audit(1637852396.977:80): apparmor="ALLOWED" operation="open" profile="smbd" name="/proc/1/environ" pid=1094 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Nov 25 14:59:56 jammy-samba-apparmor kernel: [ 227.592532] audit: type=1400 audit(1637852396.977:81): apparmor="ALLOWED" operation="ptrace" profile="smbd" pid=1094 comm="smbd" requested_mask="read" denied_mask="read" peer="unconfined" Nov 25 14:59:56 jammy-samba-apparmor kernel: [ 227.592683] audit: type=1400 audit(1637852396.977:82): apparmor="ALLOWED" operation="open" profile="smbd" name="/proc/cmdline" pid=1094 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Nov 25 14:59:56 jammy-samba-apparmor kernel: [ 227.600378] audit: type=1400 audit(1637852396.985:83): apparmor="ALLOWED" operation="sendmsg" profile="smbd" name="/run/systemd/notify" pid=1094 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 nmbd: Nov 25 14:59:26 jammy-samba-apparmor systemd[1]: Starting Samba NMB Daemon... Nov 25 14:59:26 jammy-samba-apparmor kernel: [ 196.718721] audit: type=1400 audit(1637852366.105:76): apparmor="ALLOWED" operation="capable" profile="nmbd" pid=1067 comm="nmbd" capability=1 2 capname="net_admin" The systemd notify one for smbd was first fixed for nmbd in https://gitlab.com/apparmor/apparmor/-/merge_requests/236 for nmbd, but smbd was missed. net_admin might be https://github.com/systemd/systemd/pull/10085, I didn't check if jammy's systemd has that patch (it should, since it's old) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1952242/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1952242] [NEW] [jammy] missing rules for samba profile
Public bug reported: ubuntu jammy apparmor-profiles 3.0.3-0ubuntu3 samba 2:4.13.5+dfsg-2ubuntu3 smbd: Nov 25 14:59:56 jammy-samba-apparmor systemd[1]: Starting Samba SMB Daemon... Nov 25 14:59:56 jammy-samba-apparmor kernel: [ 227.586080] audit: type=1400 audit(1637852396.969:77): apparmor="ALLOWED" operation="capable" profile="smbd" pid=1094 comm="smbd" capability=12 capname="net_admin" Nov 25 14:59:56 jammy-samba-apparmor kernel: [ 227.586241] audit: type=1400 audit(1637852396.969:78): apparmor="ALLOWED" operation="sendmsg" profile="smbd" name="/run/systemd/notify" pid=1094 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 Nov 25 14:59:56 jammy-samba-apparmor kernel: [ 227.592258] audit: type=1400 audit(1637852396.977:79): apparmor="ALLOWED" operation="open" profile="smbd" name="/proc/sys/kernel/osrelease" pid=1094 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Nov 25 14:59:56 jammy-samba-apparmor kernel: [ 227.592460] audit: type=1400 audit(1637852396.977:80): apparmor="ALLOWED" operation="open" profile="smbd" name="/proc/1/environ" pid=1094 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Nov 25 14:59:56 jammy-samba-apparmor kernel: [ 227.592532] audit: type=1400 audit(1637852396.977:81): apparmor="ALLOWED" operation="ptrace" profile="smbd" pid=1094 comm="smbd" requested_mask="read" denied_mask="read" peer="unconfined" Nov 25 14:59:56 jammy-samba-apparmor kernel: [ 227.592683] audit: type=1400 audit(1637852396.977:82): apparmor="ALLOWED" operation="open" profile="smbd" name="/proc/cmdline" pid=1094 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Nov 25 14:59:56 jammy-samba-apparmor kernel: [ 227.600378] audit: type=1400 audit(1637852396.985:83): apparmor="ALLOWED" operation="sendmsg" profile="smbd" name="/run/systemd/notify" pid=1094 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 nmbd: Nov 25 14:59:26 jammy-samba-apparmor systemd[1]: Starting Samba NMB Daemon... Nov 25 14:59:26 jammy-samba-apparmor kernel: [ 196.718721] audit: type=1400 audit(1637852366.105:76): apparmor="ALLOWED" operation="capable" profile="nmbd" pid=1067 comm="nmbd" capability=1 2 capname="net_admin" The systemd notify one for smbd was first fixed for nmbd in https://gitlab.com/apparmor/apparmor/-/merge_requests/236 for nmbd, but smbd was missed. net_admin might be https://github.com/systemd/systemd/pull/10085, I didn't check if jammy's systemd has that patch (it should, since it's old) ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1952242 Title: [jammy] missing rules for samba profile Status in apparmor package in Ubuntu: New Bug description: ubuntu jammy apparmor-profiles 3.0.3-0ubuntu3 samba 2:4.13.5+dfsg-2ubuntu3 smbd: Nov 25 14:59:56 jammy-samba-apparmor systemd[1]: Starting Samba SMB Daemon... Nov 25 14:59:56 jammy-samba-apparmor kernel: [ 227.586080] audit: type=1400 audit(1637852396.969:77): apparmor="ALLOWED" operation="capable" profile="smbd" pid=1094 comm="smbd" capability=12 capname="net_admin" Nov 25 14:59:56 jammy-samba-apparmor kernel: [ 227.586241] audit: type=1400 audit(1637852396.969:78): apparmor="ALLOWED" operation="sendmsg" profile="smbd" name="/run/systemd/notify" pid=1094 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 Nov 25 14:59:56 jammy-samba-apparmor kernel: [ 227.592258] audit: type=1400 audit(1637852396.977:79): apparmor="ALLOWED" operation="open" profile="smbd" name="/proc/sys/kernel/osrelease" pid=1094 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Nov 25 14:59:56 jammy-samba-apparmor kernel: [ 227.592460] audit: type=1400 audit(1637852396.977:80): apparmor="ALLOWED" operation="open" profile="smbd" name="/proc/1/environ" pid=1094 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Nov 25 14:59:56 jammy-samba-apparmor kernel: [ 227.592532] audit: type=1400 audit(1637852396.977:81): apparmor="ALLOWED" operation="ptrace" profile="smbd" pid=1094 comm="smbd" requested_mask="read" denied_mask="read" peer="unconfined" Nov 25 14:59:56 jammy-samba-apparmor kernel: [ 227.592683] audit: type=1400 audit(1637852396.977:82): apparmor="ALLOWED" operation="open" profile="smbd" name="/proc/cmdline" pid=1094 comm="smbd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Nov 25 14:59:56 jammy-samba-apparmor kernel: [ 227.600378] audit: type=1400 audit(1637852396.985:83): apparmor="ALLOWED" operation="sendmsg" profile="smbd" name="/run/systemd/notify" pid=1094 comm="smbd" requested_mask="w" denied_mask="w" fsuid=0 ouid=0 nmbd: Nov 25 14:59:26
[Touch-packages] [Bug 1892798] Re: systemd package missing resolvconf(8) compatibility symlink, and a Provides: resolvconf
> Our kernel ships wireguard modules by default anyway, and one can configure wireguard via networkd and soon via netplan. Which is our default tooling to interact with the wireguard kernel module. How should we generate the wireguard keys without `wg`? openssl? It's a significant deviation from upstream and what you will find documented out there, and puts the burden on us to make sure the keys were correctly generated, with the correct entropy source, number of rounds (if applicable), etc. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/1892798 Title: systemd package missing resolvconf(8) compatibility symlink, and a Provides: resolvconf Status in systemd package in Ubuntu: Won't Fix Status in wireguard package in Ubuntu: Confirmed Status in systemd package in Debian: Incomplete Bug description: By default Ubuntu now uses systemd to manage the nameservers in resolv.conf, so resolvconf and openresolv seem to be redundant. However, it appears that systemd's resolvectl is compatable with resolvconf style commands if symlinked as resolvconf. I'm not really sure how deb packaging works, but if it possible to check for the resolvconf command, and if not found just symlink /usr/bin/resolvectl to /usr/sbin/resolvconf then wg-quick will work without additional packages. See https://manpages.ubuntu.com/manpages/focal/man1/resolvectl.1#compatibility%20with%20resolvconf(8) for more info. Apologies if there is a better place to direct this info. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1892798/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1950370] [NEW] [bionic] userdel doesn't check for local users
Public bug reported: Before trying to delete a user, userdel checks if the user exists. The problem is that this check is done using getpwnam(), which will query all nss sources from /etc/nsswitch.conf. If a system has, for example, LDAP enabled, and userdel is called with the name of a user that only exists in LDAP, it will pass that check, and userdel will proceed and try to delete that user, which will obviously fail. That might not sound like a big deal, but it is. As part of the checks it runs before deleting an user, it checks if there is any running process owned by that user. This means that it will do a getpwnam() call for each running process. On a busy machine, that can be thousands, and each one will trigger an LDAP lookup. Oops. Upstream fixed this in commit https://github.com/shadow- maint/shadow/commit/2c57c399bf0d2f06dc8a8fed244ec80667a671f1 Focal and later have this upstream version and are not affected. ** Affects: shadow (Ubuntu) Importance: Undecided Status: Fix Released ** Affects: shadow (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: shadow (Ubuntu Bionic) Importance: Undecided Status: New ** Changed in: shadow (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to shadow in Ubuntu. https://bugs.launchpad.net/bugs/1950370 Title: [bionic] userdel doesn't check for local users Status in shadow package in Ubuntu: Fix Released Status in shadow source package in Bionic: New Bug description: Before trying to delete a user, userdel checks if the user exists. The problem is that this check is done using getpwnam(), which will query all nss sources from /etc/nsswitch.conf. If a system has, for example, LDAP enabled, and userdel is called with the name of a user that only exists in LDAP, it will pass that check, and userdel will proceed and try to delete that user, which will obviously fail. That might not sound like a big deal, but it is. As part of the checks it runs before deleting an user, it checks if there is any running process owned by that user. This means that it will do a getpwnam() call for each running process. On a busy machine, that can be thousands, and each one will trigger an LDAP lookup. Oops. Upstream fixed this in commit https://github.com/shadow- maint/shadow/commit/2c57c399bf0d2f06dc8a8fed244ec80667a671f1 Focal and later have this upstream version and are not affected. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/1950370/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1946860] Re: Merge heimdal from Debian unstable for 22.04
** Changed in: heimdal (Ubuntu) Assignee: (unassigned) => Andreas Hasenack (ahasenack) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to heimdal in Ubuntu. https://bugs.launchpad.net/bugs/1946860 Title: Merge heimdal from Debian unstable for 22.04 Status in heimdal package in Ubuntu: New Bug description: Scheduled-For: 22.11 Upstream: tbd Debian: 7.7.0+dfsg-2 Ubuntu: 7.7.0+dfsg-2ubuntu2 ### New Debian Changes ### heimdal (7.7.0+dfsg-2) unstable; urgency=medium * Build using python3. Closes: #936695, #960032. -- Brian May Tue, 12 May 2020 06:56:04 +1000 heimdal (7.7.0+dfsg-1) unstable; urgency=medium * New upstream version. * Fix CVE-2019-14870: The DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC. Closes: #946786. -- Brian May Tue, 17 Dec 2019 20:23:41 +1100 heimdal (7.5.0+dfsg-3) unstable; urgency=high * CVE-2018-16860: Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum. Closes: #928966. * CVE-2019-12098: Always confirm PA-PKINIT-KX for anon PKINIT. Closes: #929064. * Update test certificates to pre 2038 expiry. Closes: #923930. -- Brian May Tue, 21 May 2019 18:04:35 +1000 heimdal (7.5.0+dfsg-2.1) unstable; urgency=medium * Non-maintainer upload * Add patch to create headers before building (Closes: 906623) -- Hilko Bengen Sun, 28 Oct 2018 15:10:44 +0100 heimdal (7.5.0+dfsg-2) unstable; urgency=medium * Replace 'MAXHOSTNAMELEN' with 'MaxHostNameLen' in kdc/kx509.c for The Hurd. Closes: #900079. -- Brian May Sat, 02 Jun 2018 10:01:46 +1000 heimdal (7.5.0+dfsg-1) unstable; urgency=high * New upstream version. (Closes: #850723) + CVE-2017-17439: Remote unauthenticated DoS in Heimdal-KDC 7.4 (Closes: #878144, #868157) + Refresh patches. * Bump Standards-Version to 4.1.2 and compat level to 10. + Remove explicit reference to dh-autoreconf. * Use uscan to get orig source. + Refrain from mangling some bundled RFC texts; just exclude the mas they are not installed into any binary anyway. + Update d/copyright to DEP-5. + Can now use standard uscan/gbp/pristine-tar workflow. * Fix some lintian errors/warnings. + Strip trailing whitespace from changelog. + Fix some duplicate long descriptions. + Use optional priority everywhere. + Update/remove some overrides. + Enforce set -e in maintainer scripts. + Enable hardening. * Migrate to -dbgsym. * Add myself to uploaders. -- Dominik George Fri, 15 Dec 2017 01:13:04 +0100 heimdal (7.4.0.dfsg.1-2) unstable; urgency=medium [ Jelmer Vernooij ] * Remove myself from uploaders. [ Brian May ] * Be explicit with heimdal.mkey filename in postinst. Closes: #868638. * Tests should respect DEB_BUILD_OPTIONS=nocheck. Closes: #868842. -- Brian May Sun, 23 Jul 2017 10:32:34 +1000 heimdal (7.4.0.dfsg.1-1) unstable; urgency=high * New upstream version. * Update standards version to 4.0.0. * CVE-2017-11103: Fix Orpheus' Lyre KDC-REP service name validation. (Closes: #868208). -- Brian May Sat, 15 Jul 2017 19:47:32 +1000 heimdal (7.1.0+dfsg-13) unstable; urgency=medium * Add missing symbols base64_decode and base64_encode back into libroken. Closes: #848694. -- Brian May Wed, 26 Apr 2017 19:38:20 +1000 heimdal (7.1.0+dfsg-12) unstable; urgency=high * Fix transit path validation CVE-2017-6594. -- Brian May Mon, 10 Apr 2017 17:21:35 +1000 heimdal (7.1.0+dfsg-11) unstable; urgency=medium * Remove legacy provides/conflicts/replaces headers. Old daemons ### Old Ubuntu Delta ### heimdal (7.7.0+dfsg-2ubuntu2) impish; urgency=medium * Remove symbol rk_closefrom@HEIMDAL_ROKEN_1.0 1.4.0+git20110226 (LP: #1945787) -- Heinrich Schuchardt Fri, 01 Oct 2021 15:03:02 +0200 heimdal (7.7.0+dfsg-2ubuntu1) impish; urgency=medium * Disable lto, to regain dep on roken, otherwise dependencies on amd64 are different to i386 resulting in different files on amd64 and i386. LP: #1934936 -- Dimitri John Ledkov Tue, 20 Jul 2021 10:32:53 +0100 heimdal (7.7.0+dfsg-2build1) impish; urgency=medium * No-change rebuild due to OpenLDAP soname bump. -- Sergio Durigan Junior Mon, 21 Jun 2021 17:48:49 -0400 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/1946860/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1943530] Re: link libkrb5 with openssl
Do we even know for sure this krb5-k5tls is enough for fips compliance, and that it replaces *all* crypto code in kerberos with openssl calls? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1943530 Title: link libkrb5 with openssl Status in krb5 package in Ubuntu: New Bug description: In Ubuntu we provide a cryptographic core based on a small set of packages that we FIPS certify [0]. Applications and libraries should not bundle their own crypto code but should use the cryptographic core to benefit from the certification, but also importantly to reduce bugs due to small cryptographic libraries that that are not studied as much as more popular counterparts. This bug is to change libkrb5 to use the openssl crypto code instead of bundling its own on the next ubuntu release. [0]. https://ubuntu.com/security/fips To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1943530/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1791958] Re: iptables-restore is missing -w option
For backports, a straight build of 1.6.2 would perhaps be enough. Might not seem a version change big enough for backports, but as we have seen, it does introduce a change of behavior that impacts existing firewall scripts. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to iptables in Ubuntu. https://bugs.launchpad.net/bugs/1791958 Title: iptables-restore is missing -w option Status in iptables package in Ubuntu: Confirmed Bug description: For CRIU we need to have iptables version 1.6.2 which includes the '-w' option in iptables-restore. This is a request to update iptables to 1.6.2 in 18.10 and if possible backport the necessary changes to 18.04. The CRIU project gets right now many bug reports (mostly in the combination LXD + CRIU) due to the missing '-w' option in iptables- restore. Especially as 18.04 will be around for some time it would be good to have iptables-restore available with '-w'. This is one example bug report: https://github.com/checkpoint- restore/criu/issues/551 But not only CRIU would benefit from this change. It seems also problematic with Kubernetes: https://github.com/kubernetes/kubernetes/pull/60978 So if possible, please update iptables to 1.6.2 (or backport changes) to support -w in iptables-restore. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1791958/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1895302] Re: groovy debootstrap leaves /e/d/motd-news.wasremoved around
I retried testcase (b) in an up-to-date focal, and it still happens. It's been a long while since I touched this package and I don't remember the details anymore. Since I'm no longer working on this, I'll mark the bug status accordingly. ** Changed in: base-files (Ubuntu Xenial) Status: In Progress => Confirmed ** Changed in: base-files (Ubuntu Bionic) Status: In Progress => Confirmed ** Changed in: base-files (Ubuntu Focal) Status: In Progress => Confirmed ** Changed in: base-files (Ubuntu Xenial) Assignee: Andreas Hasenack (ahasenack) => (unassigned) ** Changed in: base-files (Ubuntu Bionic) Assignee: Andreas Hasenack (ahasenack) => (unassigned) ** Changed in: base-files (Ubuntu Focal) Assignee: Andreas Hasenack (ahasenack) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1895302 Title: groovy debootstrap leaves /e/d/motd-news.wasremoved around Status in base-files package in Ubuntu: Fix Released Status in base-files source package in Xenial: Confirmed Status in base-files source package in Bionic: Confirmed Status in base-files source package in Focal: Confirmed Bug description: [Impact] A fresh install of base-files, like done when using debootstrap, using the base-files from the -updates repository (in the case of ubuntu stable releases), will leave an empty /etc/default/motd-news.wasremoved file. This file is an artifact of the mechanism used to handle a corner case in the previous SRU where it would signal the motd-news-config package to install /etc/default/motd-news with ENABLED=0. See testcases (h) and (i) in the previous base-files SRU at https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1888575 for details. In test case (i) it was acked that the empty .wasremoved file was lying around, but its impact was deemed not relevant (see [other info] item (a)). Another case where /etc/default/motd-news.wasremoved would be created when it shouldn't be is when you have just base-files installed (and no ubuntu-server or motd-news-config) and did a reinstall of base- files, or an upgrade. It would again touch /etc/default/motd- news.wasremoved. The consequence of having /etc/default/motd-news.wasremoved when it's unintended is that a follow-up install of ubuntu-server, or motd-news- config for that matter, will install /etc/default/motd-news with ENABLED=0 instead of ENABLED=1. This was the case of the groovy debootstrap which resulted in this bug being filed. While debootstrap won't mix multiple repositories (like release with updates), and thus this isn't easily a problem in released versions of ubuntu, the groovy case was the one that was doing a fresh install of base-files with the buggy touch /etc/default/motd-news.wasremoved, and a subsequent install of ubuntu- server left motd-news disabled in groovy images produced by such a method (debootstrap). These are the scenarios I was able to come up with in which a stable release could be affected by this bug: a) debootstrap with release and updates pocket enabled There are no config options that I'm aware of that would tell debootstrap to use multiple pockets when creating a chroot, but let's say it was done by hacking the script or something else. It would then be the same case as groovy until this fix: subsequent installations of ubuntu-server or motd-news-config would default to having motd-news disabled b) A system that has just base-files from the previous SRU installed, and no ubuntu-server and no motd-news-config. If base-files were updated again and without the fix presented here (let's say, another SRU instead of this one), it would create /etc/default/motd- news.wasremoved, and again, a subsequent install of ubuntu-server or motd-news-config would install motd-news in a disabled state c) Any other case where the postinst script of base-files is run again without the fix presented here, and when there is no /etc/default/motd-news{,.dpkg*} file present. To avoid creating /etc/default/motd-news.wasremoved when we shouldn't, the maintainer scripts were changed as follows: - motd-news-config postinst: always remove the .wasremoved file in configure if found, regardless if /etc/default/motd-news was sed'ed or not, or if we are upgrading or on a first install - base-files postinst: guard the creation of .wasremoved with: - Only during an upgrade - Only if ubuntu-server is installed (via a dpkg -l check) [Test Case] * On the system under test, remove motd-news-config and ubuntu-server if they are installed, and keep base-files from the update pocket. Something like this: sudo apt update && sudo apt dist-upgrade -y sudo apt purge motd-news-config ubuntu-server apt-cache policy base-files <-- to verify it's from
[Touch-packages] [Bug 1791958] Re: iptables-restore is missing -w option
I tested this last change, and it does exactly what we wanted for iptables, the tool. And since that behavior is shared with all tools of the iptables suite, it means iptables-restore got that fix too (good!), but it also introduces a change in behavior for iptables-restore (bad!). When compared to the bionic 1.6.1 iptables: (a) straight backport from 1.6.2 - iptables loses the implicit -w parameter, meaning it will fail right away if it encounters the lock - iptables-restore maintains the behavior, and grows the extra -w option (b) massaged patches from comment #16 - iptables keeps the same behavior as in 1.6.1 - iptables-restore grows the implicit -w option, meaning it will block until the lock is released The locking code is shared by all tools in one .c file. Making it behave differently whether it's iptables or iptables-restore being used is kumbersome, and would make ubuntu the only one with this behavior. Alternatively, this bug has actually a very decent workaround: wrap iptables-restore in flock. That's the same locking mechanism that iptables itself does, just internally. Quick example: you want iptables-restore -w 2 file.iptables Use: flock -w 2 -x /run/xtables.lock iptables-restore file.iptables You can even augment that a bit with -E , and have flock return if the lock cannot be acquired in the specified amount of time. Of the two patch sets, it feels like (b) introduces the less worse behavior change. Before iptables-restore would fail right away, now it can get stuck for as long as the lock is held. Which is the iptables behavior already. But it's still a change, and your script could stall for as long as the lock exists. You should change it to use -w . Option (a) has the danger that if you are not checking for errors in your script, one or more iptables calls could fail, and you wouldn't notice, leaving your firewall incomplete. I think this is a dangerous change. Considering bionic is an LTS, and the existence of the flock workaround which is exactly what the code itself does, what do you guys think about this SRU? Should we pick a patch and go with it, or reject the change and recommend the flock() alternative? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to iptables in Ubuntu. https://bugs.launchpad.net/bugs/1791958 Title: iptables-restore is missing -w option Status in iptables package in Ubuntu: Confirmed Bug description: For CRIU we need to have iptables version 1.6.2 which includes the '-w' option in iptables-restore. This is a request to update iptables to 1.6.2 in 18.10 and if possible backport the necessary changes to 18.04. The CRIU project gets right now many bug reports (mostly in the combination LXD + CRIU) due to the missing '-w' option in iptables- restore. Especially as 18.04 will be around for some time it would be good to have iptables-restore available with '-w'. This is one example bug report: https://github.com/checkpoint- restore/criu/issues/551 But not only CRIU would benefit from this change. It seems also problematic with Kubernetes: https://github.com/kubernetes/kubernetes/pull/60978 So if possible, please update iptables to 1.6.2 (or backport changes) to support -w in iptables-restore. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1791958/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1791958] Re: iptables-restore is missing -w option
Excellent progress Eric, thanks! I'll give it a try. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to iptables in Ubuntu. https://bugs.launchpad.net/bugs/1791958 Title: iptables-restore is missing -w option Status in iptables package in Ubuntu: Confirmed Bug description: For CRIU we need to have iptables version 1.6.2 which includes the '-w' option in iptables-restore. This is a request to update iptables to 1.6.2 in 18.10 and if possible backport the necessary changes to 18.04. The CRIU project gets right now many bug reports (mostly in the combination LXD + CRIU) due to the missing '-w' option in iptables- restore. Especially as 18.04 will be around for some time it would be good to have iptables-restore available with '-w'. This is one example bug report: https://github.com/checkpoint- restore/criu/issues/551 But not only CRIU would benefit from this change. It seems also problematic with Kubernetes: https://github.com/kubernetes/kubernetes/pull/60978 So if possible, please update iptables to 1.6.2 (or backport changes) to support -w in iptables-restore. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1791958/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1791958] Re: iptables-restore is missing -w option
Thanks for the b3 version! It restores the bionic implicit lock behavior (as if -w was given), but when given a specific value, in the end it ignores that it couldn't acquire the lock and moves on: In all these tests, I have a lock held. We have a chain called "andreas". See how -L waits 1 second as I requested, but moves on, listing the chain: root@b1-iptables-restore-wait-lock:~# time iptables -L andreas -w 1 Chain andreas (0 references) target prot opt source destination real0m1.005s user0m0.004s sys 0m0.000s Now I delete the chain. This shouldn't work because another app is holding the lock: root@b1-iptables-restore-wait-lock:~# time iptables -X andreas -w 1 real0m1.006s user0m0.005s sys 0m0.000s Was it deleted? Let's list again, and it was: root@b1-iptables-restore-wait-lock:~# time iptables -L andreas -w 1 iptables: No chain/target/match by that name. real0m1.005s user0m0.004s sys 0m0.000s root@b1-iptables-restore-wait-lock:~# apt-cache policy iptables iptables: Installed: 1.6.1-2ubuntu2+testpkg20210629b3 Candidate: 1.6.1-2ubuntu2+testpkg20210629b3 Version table: *** 1.6.1-2ubuntu2+testpkg20210629b3 500 500 http://ppa.launchpad.net/slashd/lp1791958/ubuntu bionic/main amd64 Packages -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to iptables in Ubuntu. https://bugs.launchpad.net/bugs/1791958 Title: iptables-restore is missing -w option Status in iptables package in Ubuntu: Confirmed Bug description: For CRIU we need to have iptables version 1.6.2 which includes the '-w' option in iptables-restore. This is a request to update iptables to 1.6.2 in 18.10 and if possible backport the necessary changes to 18.04. The CRIU project gets right now many bug reports (mostly in the combination LXD + CRIU) due to the missing '-w' option in iptables- restore. Especially as 18.04 will be around for some time it would be good to have iptables-restore available with '-w'. This is one example bug report: https://github.com/checkpoint- restore/criu/issues/551 But not only CRIU would benefit from this change. It seems also problematic with Kubernetes: https://github.com/kubernetes/kubernetes/pull/60978 So if possible, please update iptables to 1.6.2 (or backport changes) to support -w in iptables-restore. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1791958/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1791958] Re: iptables-restore is missing -w option
+1 for a backport, I don't think 1.6.2 is suitable for an SRU, specifically about one change I noticed with test packages that I think can break existing firewall scripts. The locking code is shared between tools, so in 1.6.2, not only do we get iptables-{save,restore} with -w support, but iptables itself changes behavior. When a lock is held, this is the current behavior in bionic: root@b1-iptables-restore-wait-lock:~# time iptables -L Another app is currently holding the xtables lock; still -9s 0us time ahead to have a chance to grab the lock... Another app is currently holding the xtables lock; still -19s 0us time ahead to have a chance to grab the lock... Another app is currently holding the xtables lock; still -29s 0us time ahead to have a chance to grab the lock... Two things: - there is an implied -w with no value, meaning infinite wait. Perhaps surprising, perhaps not. - the time countdown is negative (bug) In 1.6.2 and later, we have: root@b1-iptables-restore-wait-lock:~# time iptables -L Another app is currently holding the xtables lock. Perhaps you want to use the -w option? real0m0.003s Focal: root@f1:~# time iptables -L Another app is currently holding the xtables lock. Perhaps you want to use the -w option? real0m0.003s user0m0.004s sys 0m0.000s root@f1:~# iptables --version iptables v1.8.4 (legacy) It exits immediately. I can see this breaking existing firewall scripts that were up to now relying on the lock even without knowing it. They would be working with the bionic version, perhaps hitting the lock a few times, but with the updated version, as soon as the lock is hit, iptables exits. This means the script would have to be changed to add -w [n] to all iptables invocations, and I think that's unexpected for an update to an LTS release. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to iptables in Ubuntu. https://bugs.launchpad.net/bugs/1791958 Title: iptables-restore is missing -w option Status in iptables package in Ubuntu: Confirmed Bug description: For CRIU we need to have iptables version 1.6.2 which includes the '-w' option in iptables-restore. This is a request to update iptables to 1.6.2 in 18.10 and if possible backport the necessary changes to 18.04. The CRIU project gets right now many bug reports (mostly in the combination LXD + CRIU) due to the missing '-w' option in iptables- restore. Especially as 18.04 will be around for some time it would be good to have iptables-restore available with '-w'. This is one example bug report: https://github.com/checkpoint- restore/criu/issues/551 But not only CRIU would benefit from this change. It seems also problematic with Kubernetes: https://github.com/kubernetes/kubernetes/pull/60978 So if possible, please update iptables to 1.6.2 (or backport changes) to support -w in iptables-restore. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1791958/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1913810] Re: restart doesn't test for syntax errors
yeah, it's specifically restart that we want to check -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1913810 Title: restart doesn't test for syntax errors Status in openssh package in Ubuntu: Confirmed Bug description: Tested openssh on bionic and groovy, same issue. The switch to systemd lost the ability to do a sanity check on the config file (via sshd -t) before attempting to restart sshd. This was originally bug #624361 in the SySV days, fixed in the initscript back then. The sysv script still does it, but it's not used anymore: restart) check_privsep_dir check_config log_daemon_msg "Restarting OpenBSD Secure Shell server" "sshd" || true And: check_config() { if [ ! -e /etc/ssh/sshd_not_to_be_run ]; then /usr/sbin/sshd $SSHD_OPTS -t || exit 1 fi } The systemd service file has only ExecStartPre, which doesn't let it start if there is an error, but will happily stop it: [Unit] Description=OpenBSD Secure Shell server After=network.target auditd.service ConditionPathExists=!/etc/ssh/sshd_not_to_be_run [Service] EnvironmentFile=-/etc/default/ssh ExecStartPre=/usr/sbin/sshd -t ExecStart=/usr/sbin/sshd -D $SSHD_OPTS ExecReload=/usr/sbin/sshd -t ExecReload=/bin/kill -HUP $MAINPID ... Example: # sshd -t # systemctl restart sshd # telnet localhost 22 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 ^] telnet> quit Connection closed. # echo "syntax error" >> /etc/ssh/sshd_config # sshd -t /etc/ssh/sshd_config: line 123: Bad configuration option: syntax /etc/ssh/sshd_config: terminating, 1 bad configuration options # systemctl restart sshd Job for ssh.service failed because the control process exited with error code. See "systemctl status ssh.service" and "journalctl -xe" for details. # telnet localhost 22 Trying 127.0.0.1... telnet: Unable to connect to remote host: Connection refused # To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1913810/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 388605] Re: [MIR] rsyslog
Actually, Christian didn't explicitly ack the stable releases in that comment (but he did in the MPs I raised for the seed changes). I'll ask him tomorrow to flip the statuses. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to rsyslog in Ubuntu. https://bugs.launchpad.net/bugs/388605 Title: [MIR] rsyslog Status in rsyslog package in Ubuntu: Fix Released Status in rsyslog source package in Bionic: New Status in rsyslog source package in Focal: New Status in rsyslog source package in Groovy: New Status in rsyslog source package in Hirsute: Fix Released Bug description: Binary package hint: rsyslog We want to make rsyslog the new default syslogger. See https://wiki.ubuntu.com/MainInclusionReport/rsyslog To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/388605/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 388605] Re: [MIR] rsyslog
Given Christian's comments in comment #6, and the fact that the seed changes were done, I'm going to mark the tasks for the stable releases as "fix committed" -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to rsyslog in Ubuntu. https://bugs.launchpad.net/bugs/388605 Title: [MIR] rsyslog Status in rsyslog package in Ubuntu: Fix Released Status in rsyslog source package in Bionic: New Status in rsyslog source package in Focal: New Status in rsyslog source package in Groovy: New Status in rsyslog source package in Hirsute: Fix Released Bug description: Binary package hint: rsyslog We want to make rsyslog the new default syslogger. See https://wiki.ubuntu.com/MainInclusionReport/rsyslog To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/388605/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 388605] Re: [MIR] rsyslog
Meeting minutes: https://new.ubottu.com/meetingology/logs/ubuntu- meeting/2021/ubuntu-meeting.2021-03-25-15.00.moin.txt -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to rsyslog in Ubuntu. https://bugs.launchpad.net/bugs/388605 Title: [MIR] rsyslog Status in rsyslog package in Ubuntu: Fix Released Status in rsyslog source package in Bionic: New Status in rsyslog source package in Focal: New Status in rsyslog source package in Groovy: New Status in rsyslog source package in Hirsute: Fix Released Bug description: Binary package hint: rsyslog We want to make rsyslog the new default syslogger. See https://wiki.ubuntu.com/MainInclusionReport/rsyslog To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/388605/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 388605] Re: [MIR] rsyslog
I'll provide MPs for bionic, focal and groovy to change the seeds to pull rsyslog-gnutls into main, as discussed in #ubuntu-meeting with Foundations today, and then ping an archive admin. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to rsyslog in Ubuntu. https://bugs.launchpad.net/bugs/388605 Title: [MIR] rsyslog Status in rsyslog package in Ubuntu: Fix Released Status in rsyslog source package in Bionic: New Status in rsyslog source package in Focal: New Status in rsyslog source package in Groovy: New Status in rsyslog source package in Hirsute: Fix Released Bug description: Binary package hint: rsyslog We want to make rsyslog the new default syslogger. See https://wiki.ubuntu.com/MainInclusionReport/rsyslog To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/388605/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 388605] Re: [MIR] rsyslog
We would like to retroactively promote rsyslog-gnutls, a binary package built from src:rsyslog (subject of this completed MIR), into main. rsyslog-gnutls provides a gnutls plugin which allows rsyslog to encrypt the data it sends to log servers. We believe this is a common scenario, and very much needed for compliance nowadays, and this package should be in main because of that. rsyslog-gnutls was already part of this MIR, but was left in universe because nothing pulled it into main (dependency or seed change). I didn't see any comments here in the bug, or in the MIR report (https://wiki.ubuntu.com/MainInclusionReport/rsyslog), that would be specific about rsyslog-gnutls and why it should not be promoted. There was just a list of dependencies, and they were ok for main inclusion, and remain so to this date: bionic: 8.32.0-1ubuntu4 Depends: libc6 (>= 2.14), libgnutls30 (>= 3.5.6), rsyslog (= 8.32.0-1ubuntu4) Suggests: gnutls-bin Depends are all in main, and Suggests is in universe, which is ok. focal: 8.2001.0-1ubuntu1.1 Depends: libc6 (>= 2.14), libgnutls30 (>= 3.6.12), rsyslog (= 8.2001.0-1ubuntu1.1) Suggests: gnutls-bin Same deps. groovy: 8.2006.0-2ubuntu1 Depends: libc6 (>= 2.14), libgnutls30 (>= 3.6.12), rsyslog (= 8.2006.0-2ubuntu1) Suggests: gnutls-bin Same deps. Hirsute: 8.2102.0-2ubuntu1 Depends: libc6 (>= 2.33), libgnutls30 (>= 3.7.0), rsyslog (= 8.2102.0-2ubuntu1) Suggests: gnutls-bin Same deps. List of rsyslog CVEs in the Ubuntu CVE tracker: https://ubuntu.com/security/cve?q==rsyslog=== None are related to encryption support. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to rsyslog in Ubuntu. https://bugs.launchpad.net/bugs/388605 Title: [MIR] rsyslog Status in rsyslog package in Ubuntu: Fix Released Status in rsyslog source package in Bionic: New Status in rsyslog source package in Focal: New Status in rsyslog source package in Groovy: New Status in rsyslog source package in Hirsute: Fix Released Bug description: Binary package hint: rsyslog We want to make rsyslog the new default syslogger. See https://wiki.ubuntu.com/MainInclusionReport/rsyslog To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/388605/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 388605] Re: [MIR] rsyslog
** Also affects: rsyslog (Ubuntu Bionic) Importance: Undecided Status: New ** Also affects: rsyslog (Ubuntu Groovy) Importance: Undecided Status: New ** Also affects: rsyslog (Ubuntu Hirsute) Importance: Undecided Assignee: Kees Cook (kees) Status: Fix Released ** Also affects: rsyslog (Ubuntu Focal) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to rsyslog in Ubuntu. https://bugs.launchpad.net/bugs/388605 Title: [MIR] rsyslog Status in rsyslog package in Ubuntu: Fix Released Status in rsyslog source package in Bionic: New Status in rsyslog source package in Focal: New Status in rsyslog source package in Groovy: New Status in rsyslog source package in Hirsute: Fix Released Bug description: Binary package hint: rsyslog We want to make rsyslog the new default syslogger. See https://wiki.ubuntu.com/MainInclusionReport/rsyslog To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/388605/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1913187] Re: iproute2 segfaults when filtering sockets
postgresql-common amd64 and i386: passed after a retry ubuntu-fan: see previous comment, known flaky test, and analysis of the test output shows that the test actually passed. I retried both amd64 and s390x, but I ask the SRU team to consider those runs green if they failed again (update: amd64 just passed, s390x still pending results). -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to iproute2 in Ubuntu. https://bugs.launchpad.net/bugs/1913187 Title: iproute2 segfaults when filtering sockets Status in iproute2 package in Ubuntu: Fix Released Status in iproute2 source package in Bionic: Fix Committed Bug description: [Impact] * The ss tool crashes when a query returns no results (seg fault) [Test Case] * $ sudo ss -Hnp -o state established 'dport = 22' src 127.0.0.1 dst 127.0.0.1 Segmentation fault * PPA with the fix: https://launchpad.net/~rafaeldtinoco/+archive/ubuntu/lp1913187 [Where problems could occur] * The ss tool is impacted and it has its code changed for the fix. * The fix is a clean cherry-pick and straightforward (moving declaration after a NULL check). [Other Info] When in Ubuntu Bionic, if one calls: $ sudo ss -Hnp -o state established 'dport = 22' src 127.0.0.1 dst 127.0.0.1 tcp 00 127.0.0.1:58910 127.0.0.1:22 users:(("ssh",pid=11672,fd=3)) timer:(keepalive,119min,0) it works. Just like when in Groovy: $ sudo ss -Hnp -o state established 'dport = 22' src 127.0.0.1 dst 127.0.0.1 tcp 00 127.0.0.1:58908 127.0.0.1:22 users:(("ssh",pid=1488591,fd=3)) timer:(keepalive,119min,0) but.. if there is nothing to show, in Bionic we get a segfault: $ sudo ss -Hnp -o state established 'dport = 22' src 127.0.0.1 dst 127.0.0.1 Segmentation fault To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/iproute2/+bug/1913187/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1913187] Re: iproute2 segfaults when filtering sockets
ubuntu-fan dep8 failures are due to https://bugs.launchpad.net/ubuntu/+source/ubuntu-fan/+bug/1830180. It was fixed in focal+, but in bionic it remains flaky. Explanation is in https://bugs.launchpad.net/ubuntu/+source/ubuntu- fan/+bug/1830180/comments/1 I'll retry it once or twice, but we can see from the test output that the test worked, and the stderr text is just noise that happened because systemd-resolve was called too soon: Starting fanatic-test lxd test: Waiting for addresses on eth0 ... lxd test: Waiting for addresses on eth0 ... lxd test: Waiting for addresses on eth0 ... lxd test: Waiting for addresses on eth0 ... lxd test: Waiting for addresses on eth0 ... slave: detected primary route through eth0 [0;1;31msd_bus_open_system: No such file or directory[0m <-- too soon slave: waiting for systemd resolver... slave: DNS: systemd(250.40.8.1) <--- now it worked, and the test continues ... -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to iproute2 in Ubuntu. https://bugs.launchpad.net/bugs/1913187 Title: iproute2 segfaults when filtering sockets Status in iproute2 package in Ubuntu: Fix Released Status in iproute2 source package in Bionic: Fix Committed Bug description: [Impact] * The ss tool crashes when a query returns no results (seg fault) [Test Case] * $ sudo ss -Hnp -o state established 'dport = 22' src 127.0.0.1 dst 127.0.0.1 Segmentation fault * PPA with the fix: https://launchpad.net/~rafaeldtinoco/+archive/ubuntu/lp1913187 [Where problems could occur] * The ss tool is impacted and it has its code changed for the fix. * The fix is a clean cherry-pick and straightforward (moving declaration after a NULL check). [Other Info] When in Ubuntu Bionic, if one calls: $ sudo ss -Hnp -o state established 'dport = 22' src 127.0.0.1 dst 127.0.0.1 tcp 00 127.0.0.1:58910 127.0.0.1:22 users:(("ssh",pid=11672,fd=3)) timer:(keepalive,119min,0) it works. Just like when in Groovy: $ sudo ss -Hnp -o state established 'dport = 22' src 127.0.0.1 dst 127.0.0.1 tcp 00 127.0.0.1:58908 127.0.0.1:22 users:(("ssh",pid=1488591,fd=3)) timer:(keepalive,119min,0) but.. if there is nothing to show, in Bionic we get a segfault: $ sudo ss -Hnp -o state established 'dport = 22' src 127.0.0.1 dst 127.0.0.1 Segmentation fault To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/iproute2/+bug/1913187/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1913810] [NEW] restart doesn't test for syntax errors
Public bug reported: Tested openssh on bionic and groovy, same issue. The switch to systemd lost the ability to do a sanity check on the config file (via sshd -t) before attempting to restart sshd. This was originally bug #624361 in the SySV days, fixed in the initscript back then. The sysv script still does it, but it's not used anymore: restart) check_privsep_dir check_config log_daemon_msg "Restarting OpenBSD Secure Shell server" "sshd" || true And: check_config() { if [ ! -e /etc/ssh/sshd_not_to_be_run ]; then /usr/sbin/sshd $SSHD_OPTS -t || exit 1 fi } The systemd service file has only ExecStartPre, which doesn't let it start if there is an error, but will happily stop it: [Unit] Description=OpenBSD Secure Shell server After=network.target auditd.service ConditionPathExists=!/etc/ssh/sshd_not_to_be_run [Service] EnvironmentFile=-/etc/default/ssh ExecStartPre=/usr/sbin/sshd -t ExecStart=/usr/sbin/sshd -D $SSHD_OPTS ExecReload=/usr/sbin/sshd -t ExecReload=/bin/kill -HUP $MAINPID ... Example: # sshd -t # systemctl restart sshd # telnet localhost 22 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 ^] telnet> quit Connection closed. # echo "syntax error" >> /etc/ssh/sshd_config # sshd -t /etc/ssh/sshd_config: line 123: Bad configuration option: syntax /etc/ssh/sshd_config: terminating, 1 bad configuration options # systemctl restart sshd Job for ssh.service failed because the control process exited with error code. See "systemctl status ssh.service" and "journalctl -xe" for details. # telnet localhost 22 Trying 127.0.0.1... telnet: Unable to connect to remote host: Connection refused # ** Affects: openssh (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1913810 Title: restart doesn't test for syntax errors Status in openssh package in Ubuntu: New Bug description: Tested openssh on bionic and groovy, same issue. The switch to systemd lost the ability to do a sanity check on the config file (via sshd -t) before attempting to restart sshd. This was originally bug #624361 in the SySV days, fixed in the initscript back then. The sysv script still does it, but it's not used anymore: restart) check_privsep_dir check_config log_daemon_msg "Restarting OpenBSD Secure Shell server" "sshd" || true And: check_config() { if [ ! -e /etc/ssh/sshd_not_to_be_run ]; then /usr/sbin/sshd $SSHD_OPTS -t || exit 1 fi } The systemd service file has only ExecStartPre, which doesn't let it start if there is an error, but will happily stop it: [Unit] Description=OpenBSD Secure Shell server After=network.target auditd.service ConditionPathExists=!/etc/ssh/sshd_not_to_be_run [Service] EnvironmentFile=-/etc/default/ssh ExecStartPre=/usr/sbin/sshd -t ExecStart=/usr/sbin/sshd -D $SSHD_OPTS ExecReload=/usr/sbin/sshd -t ExecReload=/bin/kill -HUP $MAINPID ... Example: # sshd -t # systemctl restart sshd # telnet localhost 22 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 ^]
[Touch-packages] [Bug 1899218] Re: Incorrect warning from apparmor_parser on force complained profiles
Just saw this in bionic, I guess it's not important enough for an SRU? # apparmor_parser -r -T -W --Complain /etc/apparmor.d/pam_roles /etc/apparmor.d/usr.sbin.sshd Warning failed to create cache: pam_roles Warning failed to create cache: usr.sbin.sshd -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1899218 Title: Incorrect warning from apparmor_parser on force complained profiles Status in apparmor package in Ubuntu: Fix Released Bug description: apparmor_parser on a force complained profile produces an incorrect warning message: $ sudo apparmor_parser -rW /etc/apparmor.d/usr.sbin.sssd Warning: found usr.sbin.sssd in /etc/apparmor.d/force-complain, forcing complain mode Warning from /etc/apparmor.d/usr.sbin.sssd (/etc/apparmor.d/usr.sbin.sssd line 54): Warning failed to create cache: usr.sbin.sssd Even though not generating the cache at all is expected, the warning should describe caching is disabled for force complained profiles instead of failure to create it. $ lsb_release -rd Description: Ubuntu Groovy Gorilla (development branch) Release: 20.10 $ apt-cache policy apparmor apparmor: Installed: 3.0.0~beta1-0ubuntu6 Candidate: 3.0.0~beta1-0ubuntu6 Version table: *** 3.0.0~beta1-0ubuntu6 500 500 http://archive.ubuntu.com/ubuntu groovy/main amd64 Packages 100 /var/lib/dpkg/status To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1899218/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1848330] Re: Installing auditd sometimes fails in post-inst
TL;DR verification-succeeded Ok, so here are the details. I have two vms: one called orig-audit-bionic, the other called sru- audit-bionic, where I ran the script from comment #23 over the weekend in multiple scenarios. With auditd-1:2.8.2-1ubuntu1, the bug is reproduced after a few hours, whereas with 1:2.8.2-1ubuntu1.1 I had it running over 36h in one case with no failure. a) orig-audit-bionic Installed with the original auditd-1:2.8.2-1ubuntu1, I had two runs to verify the failure: a.1) First run started at Fri Jan 22 19:20:29 UTC 2021 failed at Fri Jan 22 22:43:51 UTC 2021 Jan 22 22:43:51 orig-audit-bionic systemd[1]: Starting Security Auditing Service... Jan 22 22:43:51 orig-audit-bionic auditd[24058]: Started dispatcher: /sbin/audispd pid: 24060 Jan 22 22:43:51 orig-audit-bionic audispd: No plugins found, exiting Jan 22 22:45:21 orig-audit-bionic systemd[1]: auditd.service: Start operation timed out. Terminating. a.2) Second run, same package started at Sat Jan 23 14:30:11 UTC 2021 failed at Sat Jan 23 21:35:20 UTC 2021 Jan 23 21:35:20 orig-audit-bionic systemd[1]: Starting Security Auditing Service... Jan 23 21:35:20 orig-audit-bionic auditd[7794]: Started dispatcher: /sbin/audispd pid: 7796 Jan 23 21:35:20 orig-audit-bionic audispd: No plugins found, exiting Jan 23 21:36:50 orig-audit-bionic systemd[1]: auditd.service: Start operation timed out. Terminating. I then upgraded the auditd package to 1:2.8.2-1ubuntu1.1, and started another run: started at Sat Jan 23 23:54:35 UTC 2021 manually aborted at Mon Jan 25 12:23:42 UTC 2021 No failure. b) sru-audit-bionic Installed the original auditd-1:2.8.2-1ubuntu1, and upgraded it straight away to 1:2.8.2-1ubuntu1.1. Then started the script. started at Fri Jan 22 19:23:38 UTC 2021 manually aborted at Sun Jan 24 18:53:09 UTC 2021 No failure. I then downgraded the auditd package back to auditd-1:2.8.2-1ubuntu1 and ran the script again. started at Sun Jan 24 19:00:56 UTC 2021 failed at Sun Jan 24 23:32:58 UTC 2021 Jan 24 23:32:58 sru-audit-bionic systemd[1]: Starting Security Auditing Service... Jan 24 23:32:58 sru-audit-bionic auditd[11439]: Started dispatcher: /sbin/audispd pid: 11441 Jan 24 23:32:58 sru-audit-bionic audispd: No plugins found, exiting Jan 24 23:34:28 sru-audit-bionic systemd[1]: auditd.service: Start operation timed out. Terminating. Full logs attached as tarballs for, heh, audit purposes :) ** Attachment added: "audit-sru-1848330.tar.xz" https://bugs.launchpad.net/ubuntu/+source/audit/+bug/1848330/+attachment/5456640/+files/audit-sru-1848330.tar.xz ** Tags removed: verification-needed-bionic ** Tags added: verification-done-bionic -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to audit in Ubuntu. https://bugs.launchpad.net/bugs/1848330 Title: Installing auditd sometimes fails in post-inst Status in audit package in Ubuntu: Fix Released Status in audit source package in Bionic: Fix Committed Status in audit package in Debian: New Bug description: [Impact] Sometimes, auditd will get stuck when starting up, causing systemd to kill it after a while since it (systemd) never got the start notification. Upstream troubleshooted this to be caused by calling a syslog() function inside a signal handler. [Test Case] There is no reliable test case to reproduce the bug, other than trying the fixed packages on an affected system where the hang occurs more frequently. Basically: sudo systemctl stop auditd sudo systemctl start auditd should work reliably. Do not run that in a tight loop, however, as that will trigger a it's-restarting-too-frequently failure. [Where problems could occur] - if auditd fails to start, then the first fallback is syslog, and if that is not picking up the audit messages, the last resort is the kernel buffer, which can fill up. In the case it fills up, audit logs will be lost. - it's possible to configure the audit system to panic() the machine if audit messages are lost or otherwise not able to be recorded (auditctl -f 2; default is 1 which is printk()) - the update restarts auditd as expected. Misconfiguration on very very busy systems could mean that audit logs would be lost during the brief moment the service is restarted. If that's the case, this update would just be one more way to trigger it, but not be the root cause of the problem - similarly, as is usual with updates that restart services, it's possible than an incorrect configuration for auditd is present, but was never loaded before. The restart will load the config, and will fail in such a case. - this update removes a logging statement that occurs during startup: ("dispatcher %d reaped", pid) It's unlikely, but possible, that some monitoring software could be looking for that message in the logs. It won't be there anymore after this update. [Other Info]
[Touch-packages] [Bug 1848330] Re: Installing auditd sometimes fails in post-inst
I prepared two bionic instances to run over the weekend. One is running auditd from bionic, and the other is running the SRU proposed package. I have auditd being restarted via this script in both (just the email message is different, to say which package it was): #!/bin/bash result=0 while /bin/true; do date sudo systemctl restart auditd || result=$? if [ "$result" -ne "0" ]; then echo "FAILED, result=$result" break fi pid=$(pidof auditd) || result=$? if [ "$result" -ne "0" ]; then echo "FAILED, auditd not running" break fi echo "auditd pid = $pid" sleep 2 echo done mail -s "ALERT: audit orig test failed" andr...@canonical.com < reaped" isn't shown, which is exactly the bug: auditd hangs while trying to log that message inside a signal handler. So, looking good. Let's see if I can get another failure. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to audit in Ubuntu. https://bugs.launchpad.net/bugs/1848330 Title: Installing auditd sometimes fails in post-inst Status in audit package in Ubuntu: Fix Released Status in audit source package in Bionic: Fix Committed Status in audit package in Debian: New Bug description: [Impact] Sometimes, auditd will get stuck when starting up, causing systemd to kill it after a while since it (systemd) never got the start notification. Upstream troubleshooted this to be caused by calling a syslog() function inside a signal handler. [Test Case] There is no reliable test case to reproduce the bug, other than trying the fixed packages on an affected system where the hang occurs more frequently. Basically: sudo systemctl stop auditd sudo systemctl start auditd should work reliably. Do not run that in a tight loop, however, as that will trigger a it's-restarting-too-frequently failure. [Where problems could occur] - if auditd fails to start, then the first fallback is syslog, and if that is not picking up the audit messages, the last resort is the kernel buffer, which can fill up. In the case it fills up, audit logs will be lost. - it's possible to configure the audit system to panic() the machine if audit messages are lost or otherwise not able to be recorded (auditctl -f 2; default is 1 which is printk()) - the update restarts auditd as expected. Misconfiguration on very very busy systems could mean that audit logs would be lost during the brief moment the service is restarted. If that's the case, this update would just be one more way to trigger it, but not be the root cause of the problem - similarly, as is usual with updates that restart services, it's possible than an incorrect configuration for auditd is present, but was never loaded before. The restart will load the config, and will fail in such a case. - this update removes a logging statement that occurs during startup: ("dispatcher %d reaped", pid) It's unlikely, but possible, that some monitoring software could be looking for that message in the logs. It won't be there anymore after this update. [Other Info] The patch is committed upstream and part of the 2.8.5 release, which is present in Focal and later. The real fix for this bug is just dropping the audit_msg() call in the signal handler code. But the original reporter of the bug, who is also who came up with the fix (see https://bugzilla.redhat.com/show_bug.cgi?id=1587995#c4) stated that with the 3 changes in the patch the startup hang didn't happen to him anymore. Since this bug is difficult to reproduce elsewhere (either you have it, or you don't), I chose to keep the 3 changes instead of just the removal of the audit_msg() call. [Original Description] This happens sometimes when installing auditd on Ubuntu 18.04.2, most installations work successfully, though. Re-running the install also fixes the issue, but the failure breaks our automation. The log from the failure looks like this: # apt install auditd ... Setting up auditd (1:2.8.2-1ubuntu1) ... Created symlink /etc/systemd/system/multi-user.target.wants/auditd.service → /lib/systemd/system/auditd.service. Job for auditd.service failed because a timeout was exceeded. See "systemctl status auditd.service" and "journalctl -xe" for details. invoke-rc.d: initscript auditd, action "start" failed. ● auditd.service - Security Auditing Service Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: failed (Result: timeout) since Tue 2019-09-17 18:43:06 UTC; 11ms ago Docs: man:auditd(8) https://github.com/linux-audit/audit-documentation Process: 9702 ExecStart=/sbin/auditd (code=killed, signal=KILL) Sep 17 18:40:06 compute-node21 systemd[1]: Starting Security Auditing Service... Sep 17 18:40:06 compute-node21 auditd[9703]: Started dispatcher:
[Touch-packages] [Bug 1848330] Re: Installing auditd sometimes fails in post-inst
Dr. Harbott, would you be able to test the new audit packages in bionic- proposed? The SRU team is reluctant to approve this update without some sort of confirmation that it fixes the bug, and I haven't been able to reproduce it myself. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to audit in Ubuntu. https://bugs.launchpad.net/bugs/1848330 Title: Installing auditd sometimes fails in post-inst Status in audit package in Ubuntu: Fix Released Status in audit source package in Bionic: Fix Committed Status in audit package in Debian: New Bug description: [Impact] Sometimes, auditd will get stuck when starting up, causing systemd to kill it after a while since it (systemd) never got the start notification. Upstream troubleshooted this to be caused by calling a syslog() function inside a signal handler. [Test Case] There is no reliable test case to reproduce the bug, other than trying the fixed packages on an affected system where the hang occurs more frequently. Basically: sudo systemctl stop auditd sudo systemctl start auditd should work reliably. Do not run that in a tight loop, however, as that will trigger a it's-restarting-too-frequently failure. [Where problems could occur] - if auditd fails to start, then the first fallback is syslog, and if that is not picking up the audit messages, the last resort is the kernel buffer, which can fill up. In the case it fills up, audit logs will be lost. - it's possible to configure the audit system to panic() the machine if audit messages are lost or otherwise not able to be recorded (auditctl -f 2; default is 1 which is printk()) - the update restarts auditd as expected. Misconfiguration on very very busy systems could mean that audit logs would be lost during the brief moment the service is restarted. If that's the case, this update would just be one more way to trigger it, but not be the root cause of the problem - similarly, as is usual with updates that restart services, it's possible than an incorrect configuration for auditd is present, but was never loaded before. The restart will load the config, and will fail in such a case. - this update removes a logging statement that occurs during startup: ("dispatcher %d reaped", pid) It's unlikely, but possible, that some monitoring software could be looking for that message in the logs. It won't be there anymore after this update. [Other Info] The patch is committed upstream and part of the 2.8.5 release, which is present in Focal and later. The real fix for this bug is just dropping the audit_msg() call in the signal handler code. But the original reporter of the bug, who is also who came up with the fix (see https://bugzilla.redhat.com/show_bug.cgi?id=1587995#c4) stated that with the 3 changes in the patch the startup hang didn't happen to him anymore. Since this bug is difficult to reproduce elsewhere (either you have it, or you don't), I chose to keep the 3 changes instead of just the removal of the audit_msg() call. [Original Description] This happens sometimes when installing auditd on Ubuntu 18.04.2, most installations work successfully, though. Re-running the install also fixes the issue, but the failure breaks our automation. The log from the failure looks like this: # apt install auditd ... Setting up auditd (1:2.8.2-1ubuntu1) ... Created symlink /etc/systemd/system/multi-user.target.wants/auditd.service → /lib/systemd/system/auditd.service. Job for auditd.service failed because a timeout was exceeded. See "systemctl status auditd.service" and "journalctl -xe" for details. invoke-rc.d: initscript auditd, action "start" failed. ● auditd.service - Security Auditing Service Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: failed (Result: timeout) since Tue 2019-09-17 18:43:06 UTC; 11ms ago Docs: man:auditd(8) https://github.com/linux-audit/audit-documentation Process: 9702 ExecStart=/sbin/auditd (code=killed, signal=KILL) Sep 17 18:40:06 compute-node21 systemd[1]: Starting Security Auditing Service... Sep 17 18:40:06 compute-node21 auditd[9703]: Started dispatcher: /sbin/audispd pid: 9705 Sep 17 18:40:06 compute-node21 audispd[9705]: No plugins found, exiting Sep 17 18:41:36 compute-node21 systemd[1]: auditd.service: Start operation timed out. Terminating. Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: State 'stop-sigterm' timed out. Killing. Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Killing process 9702 (auditd) with signal SIGKILL. Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Killing process 9703 (auditd) with signal SIGKILL. Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Control process exited, code=killed status=9 Sep 17 18:43:06
[Touch-packages] [Bug 1848330] Re: Installing auditd sometimes fails in post-inst
Since it's difficult to reproduce the bug, what I'm going to do is setup a system with the previous auditd, setup some rules, confirm they are working, then upgrade, and confirm it keeps working, also after a reboot. # Bionic verification auditd from bionic: auditd: Installed: 1:2.8.2-1ubuntu1 Candidate: 1:2.8.2-1ubuntu1 Version table: *** 1:2.8.2-1ubuntu1 500 500 http://br.archive.ubuntu.com/ubuntu bionic/main amd64 Packages Created a simple rule: # cat /etc/audit/rules.d/30-shadow.rules -w /etc/shadow -p wa -k shadow-changed Loaded after restart: # auditctl -l -w /etc/shadow -p wa -k shadow-changed Confirmed a change to the file gets logged: # chmod 0400 /etc/shadow # /var/log/audit/auditd.log (parsed with ausearch -i): type=PROCTITLE msg=audit(01/18/21 17:49:31.077:32) : proctitle=chmod 0400 /etc/shadow type=PATH msg=audit(01/18/21 17:49:31.077:32) : item=0 name=/etc/shadow inode=64070 dev=fc:01 mode=file,640 ouid=root ogid=shadow rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(01/18/21 17:49:31.077:32) : cwd=/root type=SYSCALL msg=audit(01/18/21 17:49:31.077:32) : arch=x86_64 syscall=fchmodat success=yes exit=0 a0=0xff9c a1=0x5577580dc1c0 a2=0400 a3=0x0 items=1 ppid=1499 pid=1992 auid=ubuntu uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=3 comm=chmod exe=/bin/chmod key=shadow-changed Now updating the package: # apt-cache policy auditd auditd: Installed: 1:2.8.2-1ubuntu1.1 Candidate: 1:2.8.2-1ubuntu1.1 Version table: *** 1:2.8.2-1ubuntu1.1 500 500 http://br.archive.ubuntu.com/ubuntu bionic-proposed/main amd64 Packages 100 /var/lib/dpkg/status 1:2.8.2-1ubuntu1 500 500 http://br.archive.ubuntu.com/ubuntu bionic/main amd64 Packages (and its deps, like libaudit1, etc). The same rule continues loaded: # auditctl -l -w /etc/shadow -p wa -k shadow-changed Also after a manual restart: # systemctl restart auditd # auditctl -l -w /etc/shadow -p wa -k shadow-changed And changing /etc/shadow is logged (let's use 0640 this time): # chmod 0640 /etc/shadow # log: type=PROCTITLE msg=audit(01/18/21 17:54:51.942:56) : proctitle=chmod 0640 /etc/shadow type=PATH msg=audit(01/18/21 17:54:51.942:56) : item=0 name=/etc/shadow inode=64070 dev=fc:01 mode=file,400 ouid=root ogid=shadow rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(01/18/21 17:54:51.942:56) : cwd=/root type=SYSCALL msg=audit(01/18/21 17:54:51.942:56) : arch=x86_64 syscall=fchmodat success=yes exit=0 a0=0xff9c a1=0x563ae04471c0 a2=0640 a3=0x0 items=1 ppid=1499 pid=2845 auid=ubuntu uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=3 comm=chmod exe=/bin/chmod key=shadow-changed I then rebooted the system, performed the same tests, and got the same results with the updated package. It would be great if people who were affected by this bug, and can reasonably reproduce it, could test the packages from proposed. In the meantime, I'll mark this as verification succeeded. ** Tags removed: verification-needed-bionic ** Tags added: verification-done-bionic -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to audit in Ubuntu. https://bugs.launchpad.net/bugs/1848330 Title: Installing auditd sometimes fails in post-inst Status in audit package in Ubuntu: Fix Released Status in audit source package in Bionic: Fix Committed Status in audit package in Debian: New Bug description: [Impact] Sometimes, auditd will get stuck when starting up, causing systemd to kill it after a while since it (systemd) never got the start notification. Upstream troubleshooted this to be caused by calling a syslog() function inside a signal handler. [Test Case] There is no reliable test case to reproduce the bug, other than trying the fixed packages on an affected system where the hang occurs more frequently. Basically: sudo systemctl stop auditd sudo systemctl start auditd should work reliably. Do not run that in a tight loop, however, as that will trigger a it's-restarting-too-frequently failure. [Where problems could occur] - if auditd fails to start, then the first fallback is syslog, and if that is not picking up the audit messages, the last resort is the kernel buffer, which can fill up. In the case it fills up, audit logs will be lost. - it's possible to configure the audit system to panic() the machine if audit messages are lost or otherwise not able to be recorded (auditctl -f 2; default is 1 which is printk()) - the update restarts auditd as expected. Misconfiguration on very very busy systems could mean that audit logs would be lost during the brief moment the service is restarted. If that's the case, this update would just be one more way to trigger it, but not be the root cause of
[Touch-packages] [Bug 1848330] Re: Installing auditd sometimes fails in post-inst
All regressions have been resolved after some retries. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to audit in Ubuntu. https://bugs.launchpad.net/bugs/1848330 Title: Installing auditd sometimes fails in post-inst Status in audit package in Ubuntu: Fix Released Status in audit source package in Bionic: Fix Committed Status in audit package in Debian: New Bug description: [Impact] Sometimes, auditd will get stuck when starting up, causing systemd to kill it after a while since it (systemd) never got the start notification. Upstream troubleshooted this to be caused by calling a syslog() function inside a signal handler. [Test Case] There is no reliable test case to reproduce the bug, other than trying the fixed packages on an affected system where the hang occurs more frequently. Basically: sudo systemctl stop auditd sudo systemctl start auditd should work reliably. Do not run that in a tight loop, however, as that will trigger a it's-restarting-too-frequently failure. [Where problems could occur] - if auditd fails to start, then the first fallback is syslog, and if that is not picking up the audit messages, the last resort is the kernel buffer, which can fill up. In the case it fills up, audit logs will be lost. - it's possible to configure the audit system to panic() the machine if audit messages are lost or otherwise not able to be recorded (auditctl -f 2; default is 1 which is printk()) - the update restarts auditd as expected. Misconfiguration on very very busy systems could mean that audit logs would be lost during the brief moment the service is restarted. If that's the case, this update would just be one more way to trigger it, but not be the root cause of the problem - similarly, as is usual with updates that restart services, it's possible than an incorrect configuration for auditd is present, but was never loaded before. The restart will load the config, and will fail in such a case. - this update removes a logging statement that occurs during startup: ("dispatcher %d reaped", pid) It's unlikely, but possible, that some monitoring software could be looking for that message in the logs. It won't be there anymore after this update. [Other Info] The patch is committed upstream and part of the 2.8.5 release, which is present in Focal and later. The real fix for this bug is just dropping the audit_msg() call in the signal handler code. But the original reporter of the bug, who is also who came up with the fix (see https://bugzilla.redhat.com/show_bug.cgi?id=1587995#c4) stated that with the 3 changes in the patch the startup hang didn't happen to him anymore. Since this bug is difficult to reproduce elsewhere (either you have it, or you don't), I chose to keep the 3 changes instead of just the removal of the audit_msg() call. [Original Description] This happens sometimes when installing auditd on Ubuntu 18.04.2, most installations work successfully, though. Re-running the install also fixes the issue, but the failure breaks our automation. The log from the failure looks like this: # apt install auditd ... Setting up auditd (1:2.8.2-1ubuntu1) ... Created symlink /etc/systemd/system/multi-user.target.wants/auditd.service → /lib/systemd/system/auditd.service. Job for auditd.service failed because a timeout was exceeded. See "systemctl status auditd.service" and "journalctl -xe" for details. invoke-rc.d: initscript auditd, action "start" failed. ● auditd.service - Security Auditing Service Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: failed (Result: timeout) since Tue 2019-09-17 18:43:06 UTC; 11ms ago Docs: man:auditd(8) https://github.com/linux-audit/audit-documentation Process: 9702 ExecStart=/sbin/auditd (code=killed, signal=KILL) Sep 17 18:40:06 compute-node21 systemd[1]: Starting Security Auditing Service... Sep 17 18:40:06 compute-node21 auditd[9703]: Started dispatcher: /sbin/audispd pid: 9705 Sep 17 18:40:06 compute-node21 audispd[9705]: No plugins found, exiting Sep 17 18:41:36 compute-node21 systemd[1]: auditd.service: Start operation timed out. Terminating. Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: State 'stop-sigterm' timed out. Killing. Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Killing process 9702 (auditd) with signal SIGKILL. Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Killing process 9703 (auditd) with signal SIGKILL. Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Control process exited, code=killed status=9 Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Failed with result 'timeout'. Sep 17 18:43:06 compute-node21 systemd[1]: Failed to start Security Auditing Service. dpkg: error processing package
[Touch-packages] [Bug 1848330] Re: Installing auditd sometimes fails in post-inst
I'm going over the DEP8 failures -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to audit in Ubuntu. https://bugs.launchpad.net/bugs/1848330 Title: Installing auditd sometimes fails in post-inst Status in audit package in Ubuntu: Fix Released Status in audit source package in Bionic: Fix Committed Status in audit package in Debian: New Bug description: [Impact] Sometimes, auditd will get stuck when starting up, causing systemd to kill it after a while since it (systemd) never got the start notification. Upstream troubleshooted this to be caused by calling a syslog() function inside a signal handler. [Test Case] There is no reliable test case to reproduce the bug, other than trying the fixed packages on an affected system where the hang occurs more frequently. Basically: sudo systemctl stop auditd sudo systemctl start auditd should work reliably. Do not run that in a tight loop, however, as that will trigger a it's-restarting-too-frequently failure. [Where problems could occur] - if auditd fails to start, then the first fallback is syslog, and if that is not picking up the audit messages, the last resort is the kernel buffer, which can fill up. In the case it fills up, audit logs will be lost. - it's possible to configure the audit system to panic() the machine if audit messages are lost or otherwise not able to be recorded (auditctl -f 2; default is 1 which is printk()) - the update restarts auditd as expected. Misconfiguration on very very busy systems could mean that audit logs would be lost during the brief moment the service is restarted. If that's the case, this update would just be one more way to trigger it, but not be the root cause of the problem - similarly, as is usual with updates that restart services, it's possible than an incorrect configuration for auditd is present, but was never loaded before. The restart will load the config, and will fail in such a case. - this update removes a logging statement that occurs during startup: ("dispatcher %d reaped", pid) It's unlikely, but possible, that some monitoring software could be looking for that message in the logs. It won't be there anymore after this update. [Other Info] The patch is committed upstream and part of the 2.8.5 release, which is present in Focal and later. The real fix for this bug is just dropping the audit_msg() call in the signal handler code. But the original reporter of the bug, who is also who came up with the fix (see https://bugzilla.redhat.com/show_bug.cgi?id=1587995#c4) stated that with the 3 changes in the patch the startup hang didn't happen to him anymore. Since this bug is difficult to reproduce elsewhere (either you have it, or you don't), I chose to keep the 3 changes instead of just the removal of the audit_msg() call. [Original Description] This happens sometimes when installing auditd on Ubuntu 18.04.2, most installations work successfully, though. Re-running the install also fixes the issue, but the failure breaks our automation. The log from the failure looks like this: # apt install auditd ... Setting up auditd (1:2.8.2-1ubuntu1) ... Created symlink /etc/systemd/system/multi-user.target.wants/auditd.service → /lib/systemd/system/auditd.service. Job for auditd.service failed because a timeout was exceeded. See "systemctl status auditd.service" and "journalctl -xe" for details. invoke-rc.d: initscript auditd, action "start" failed. ● auditd.service - Security Auditing Service Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: failed (Result: timeout) since Tue 2019-09-17 18:43:06 UTC; 11ms ago Docs: man:auditd(8) https://github.com/linux-audit/audit-documentation Process: 9702 ExecStart=/sbin/auditd (code=killed, signal=KILL) Sep 17 18:40:06 compute-node21 systemd[1]: Starting Security Auditing Service... Sep 17 18:40:06 compute-node21 auditd[9703]: Started dispatcher: /sbin/audispd pid: 9705 Sep 17 18:40:06 compute-node21 audispd[9705]: No plugins found, exiting Sep 17 18:41:36 compute-node21 systemd[1]: auditd.service: Start operation timed out. Terminating. Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: State 'stop-sigterm' timed out. Killing. Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Killing process 9702 (auditd) with signal SIGKILL. Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Killing process 9703 (auditd) with signal SIGKILL. Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Control process exited, code=killed status=9 Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Failed with result 'timeout'. Sep 17 18:43:06 compute-node21 systemd[1]: Failed to start Security Auditing Service. dpkg: error processing package auditd (--configure):
[Touch-packages] [Bug 1848330] Re: Installing auditd sometimes fails in post-inst
Package uploaded to the SRU queue ** Changed in: audit (Ubuntu) Status: Confirmed => In Progress -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to audit in Ubuntu. https://bugs.launchpad.net/bugs/1848330 Title: Installing auditd sometimes fails in post-inst Status in audit package in Ubuntu: In Progress Status in audit package in Debian: New Bug description: [Impact] Sometimes, auditd will get stuck when starting up, causing systemd to kill it after a while since it (systemd) never got the start notification. Upstream troubleshooted this to be caused by calling a syslog() function inside a signal handler. [Test Case] There is no reliable test case to reproduce the bug, other than trying the fixed packages on an affected system where the hang occurs more frequently. Basically: sudo systemctl stop auditd sudo systemctl start auditd should work reliably. Do not run that in a tight loop, however, as that will trigger a it's-restarting-too-frequently failure. [Where problems could occur] - if auditd fails to start, then the first fallback is syslog, and if that is not picking up the audit messages, the last resort is the kernel buffer, which can fill up. In the case it fills up, audit logs will be lost. - it's possible to configure the audit system to panic() the machine if audit messages are lost or otherwise not able to be recorded (auditctl -f 2; default is 1 which is printk()) - the update restarts auditd as expected. Misconfiguration on very very busy systems could mean that audit logs would be lost during the brief moment the service is restarted. If that's the case, this update would just be one more way to trigger it, but not be the root cause of the problem - similarly, as is usual with updates that restart services, it's possible than an incorrect configuration for auditd is present, but was never loaded before. The restart will load the config, and will fail in such a case. - this update removes a logging statement that occurs during startup: ("dispatcher %d reaped", pid) It's unlikely, but possible, that some monitoring software could be looking for that message in the logs. It won't be there anymore after this update. [Other Info] The patch is committed upstream and part of the 2.8.5 release, which is present in Focal and later. The real fix for this bug is just dropping the audit_msg() call in the signal handler code. But the original reporter of the bug, who is also who came up with the fix (see https://bugzilla.redhat.com/show_bug.cgi?id=1587995#c4) stated that with the 3 changes in the patch the startup hang didn't happen to him anymore. Since this bug is difficult to reproduce elsewhere (either you have it, or you don't), I chose to keep the 3 changes instead of just the removal of the audit_msg() call. [Original Description] This happens sometimes when installing auditd on Ubuntu 18.04.2, most installations work successfully, though. Re-running the install also fixes the issue, but the failure breaks our automation. The log from the failure looks like this: # apt install auditd ... Setting up auditd (1:2.8.2-1ubuntu1) ... Created symlink /etc/systemd/system/multi-user.target.wants/auditd.service → /lib/systemd/system/auditd.service. Job for auditd.service failed because a timeout was exceeded. See "systemctl status auditd.service" and "journalctl -xe" for details. invoke-rc.d: initscript auditd, action "start" failed. ● auditd.service - Security Auditing Service Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: failed (Result: timeout) since Tue 2019-09-17 18:43:06 UTC; 11ms ago Docs: man:auditd(8) https://github.com/linux-audit/audit-documentation Process: 9702 ExecStart=/sbin/auditd (code=killed, signal=KILL) Sep 17 18:40:06 compute-node21 systemd[1]: Starting Security Auditing Service... Sep 17 18:40:06 compute-node21 auditd[9703]: Started dispatcher: /sbin/audispd pid: 9705 Sep 17 18:40:06 compute-node21 audispd[9705]: No plugins found, exiting Sep 17 18:41:36 compute-node21 systemd[1]: auditd.service: Start operation timed out. Terminating. Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: State 'stop-sigterm' timed out. Killing. Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Killing process 9702 (auditd) with signal SIGKILL. Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Killing process 9703 (auditd) with signal SIGKILL. Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Control process exited, code=killed status=9 Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Failed with result 'timeout'. Sep 17 18:43:06 compute-node21 systemd[1]: Failed to start Security Auditing Service. dpkg: error processing package auditd
[Touch-packages] [Bug 1848330] Re: Installing auditd sometimes fails in post-inst
** Description changed: [Impact] Sometimes, auditd will get stuck when starting up, causing systemd to kill it after a while since it (systemd) never got the start notification. Upstream troubleshooted this to be caused by calling a syslog() function inside a signal handler. [Test Case] There is no reliable test case to reproduce the bug, other than trying the fixed packages on an affected system where the hang occurs more frequently. Basically: sudo systemctl stop auditd sudo systemctl start auditd should work reliably. Do not run that in a tight loop, however, as that will trigger a it's-restarting-too-frequently failure. [Where problems could occur] - if auditd fails to start, then the first fallback is syslog, and if that is not picking up the audit messages, the last resort is the kernel buffer, which can fill up. In the case it fills up, audit logs will be lost. - it's possible to configure the audit system to panic() the machine if audit messages are lost or otherwise not able to be recorded (auditctl -f 2; default is 1 which is printk()) - the update restarts auditd as expected. Misconfiguration on very very busy systems could mean that audit logs would be lost during the brief moment the service is restarted. If that's the case, this update would just be one more way to trigger it, but not be the root cause of the problem - similarly, as is usual with updates that restart services, it's possible than an incorrect configuration for auditd is present, but was never loaded before. The restart will load the config, and will fail in such a case. - this update removes a logging statement that occurs during startup: ("dispatcher %d reaped", pid) It's unlikely, but possible, that some monitoring software could be looking for that message in the logs. It won't be there anymore after this update. [Other Info] The patch is committed upstream and part of the 2.8.5 release, which is present in Focal and later. + The real fix for this bug is just dropping the audit_msg() call in the signal handler code. But the original reporter of the bug, who is also who came up with the fix (see https://bugzilla.redhat.com/show_bug.cgi?id=1587995#c4) stated that with the 3 changes in the patch the startup hang didn't happen to him anymore. Since this bug is difficult to reproduce elsewhere (either you have it, or you don't), I chose to keep the 3 changes instead of just the removal of the audit_msg() call. [Original Description] This happens sometimes when installing auditd on Ubuntu 18.04.2, most installations work successfully, though. Re-running the install also fixes the issue, but the failure breaks our automation. The log from the failure looks like this: # apt install auditd ... Setting up auditd (1:2.8.2-1ubuntu1) ... Created symlink /etc/systemd/system/multi-user.target.wants/auditd.service → /lib/systemd/system/auditd.service. Job for auditd.service failed because a timeout was exceeded. See "systemctl status auditd.service" and "journalctl -xe" for details. invoke-rc.d: initscript auditd, action "start" failed. ● auditd.service - Security Auditing Service Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: failed (Result: timeout) since Tue 2019-09-17 18:43:06 UTC; 11ms ago Docs: man:auditd(8) https://github.com/linux-audit/audit-documentation Process: 9702 ExecStart=/sbin/auditd (code=killed, signal=KILL) Sep 17 18:40:06 compute-node21 systemd[1]: Starting Security Auditing Service... Sep 17 18:40:06 compute-node21 auditd[9703]: Started dispatcher: /sbin/audispd pid: 9705 Sep 17 18:40:06 compute-node21 audispd[9705]: No plugins found, exiting Sep 17 18:41:36 compute-node21 systemd[1]: auditd.service: Start operation timed out. Terminating. Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: State 'stop-sigterm' timed out. Killing. Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Killing process 9702 (auditd) with signal SIGKILL. Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Killing process 9703 (auditd) with signal SIGKILL. Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Control process exited, code=killed status=9 Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Failed with result 'timeout'. Sep 17 18:43:06 compute-node21 systemd[1]: Failed to start Security Auditing Service. dpkg: error processing package auditd (--configure): installed auditd package post-installation script subprocess returned error exit status 1 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to audit in Ubuntu. https://bugs.launchpad.net/bugs/1848330 Title: Installing auditd sometimes fails in post-inst Status in audit package in Ubuntu: Confirmed
[Touch-packages] [Bug 1848330] Re: Installing auditd sometimes fails in post-inst
** Description changed: [Impact] - * An explanation of the effects of the bug on users and + Sometimes, auditd will get stuck when starting up, causing systemd to + kill it after a while since it (systemd) never got the start + notification. - * justification for backporting the fix to the stable release. - - * In addition, it is helpful, but not required, to include an -explanation of how the upload fixes this bug. + Upstream troubleshooted this to be caused by calling a syslog() function + inside a signal handler. [Test Case] + There is no reliable test case to reproduce the bug, other than trying the fixed packages on an affected system where the hang occurs more frequently. - * detailed instructions how to reproduce the bug + Basically: + sudo systemctl stop auditd + sudo systemctl start auditd - * these should allow someone who is not familiar with the affected -package to reproduce the bug and verify that the updated package fixes -the problem. + should work reliably. Do not run that in a tight loop, however, as that + will trigger a it's-restarting-too-frequently failure. [Where problems could occur] + - if auditd fails to start, then the first fallback is syslog, and if that is not picking up the audit messages, the last resort is the kernel buffer, which can fill up. In the case it fills up, audit logs will be lost. - * Think about what the upload changes in the software. Imagine the change is -wrong or breaks something else: how would this show up? + - it's possible to configure the audit system to panic() the machine if + audit messages are lost or otherwise not able to be recorded (auditctl + -f 2; default is 1 which is printk()) - * It is assumed that any SRU candidate patch is well-tested before -upload and has a low overall risk of regression, but it's important -to make the effort to think about what ''could'' happen in the -event of a regression. + - the update restarts auditd as expected. Misconfiguration on very very + busy systems could mean that audit logs would be lost during the brief + moment the service is restarted. If that's the case, this update would + just be one more way to trigger it, but not be the root cause of the + problem - * This must '''never''' be "None" or "Low", or entirely an argument as to why -your upload is low risk. + - this update removes a logging statement that occurs during startup: - * This both shows the SRU team that the risks have been considered, -and provides guidance to testers in regression-testing the SRU. + ("dispatcher %d reaped", pid) + + It's unlikely, but possible, that some monitoring software could be + looking for that message in the logs. It won't be there anymore after + this update. + [Other Info] - - * Anything else you think is useful to include - * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board - * and address these questions in advance + The patch is committed upstream and part of the 2.8.5 release, which is present in Focal and later. [Original Description] - - This happens sometimes when installing auditd on Ubuntu 18.04.2, most installations work successfully, though. Re-running the install also fixes the issue, but the failure breaks our automation. The log from the failure looks like this: + This happens sometimes when installing auditd on Ubuntu 18.04.2, most + installations work successfully, though. Re-running the install also + fixes the issue, but the failure breaks our automation. The log from the + failure looks like this: # apt install auditd ... Setting up auditd (1:2.8.2-1ubuntu1) ... Created symlink /etc/systemd/system/multi-user.target.wants/auditd.service → /lib/systemd/system/auditd.service. Job for auditd.service failed because a timeout was exceeded. See "systemctl status auditd.service" and "journalctl -xe" for details. invoke-rc.d: initscript auditd, action "start" failed. ● auditd.service - Security Auditing Service Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: failed (Result: timeout) since Tue 2019-09-17 18:43:06 UTC; 11ms ago Docs: man:auditd(8) https://github.com/linux-audit/audit-documentation Process: 9702 ExecStart=/sbin/auditd (code=killed, signal=KILL) Sep 17 18:40:06 compute-node21 systemd[1]: Starting Security Auditing Service... Sep 17 18:40:06 compute-node21 auditd[9703]: Started dispatcher: /sbin/audispd pid: 9705 Sep 17 18:40:06 compute-node21 audispd[9705]: No plugins found, exiting Sep 17 18:41:36 compute-node21 systemd[1]: auditd.service: Start operation timed out. Terminating. Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: State 'stop-sigterm' timed out. Killing. Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Killing process 9702 (auditd) with signal SIGKILL. Sep 17 18:43:06
[Touch-packages] [Bug 1848330] Re: Installing auditd sometimes fails in post-inst
Yikes @Kodiak, sounds painful :( -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to audit in Ubuntu. https://bugs.launchpad.net/bugs/1848330 Title: Installing auditd sometimes fails in post-inst Status in audit package in Ubuntu: Confirmed Status in audit package in Debian: New Bug description: [Impact] * An explanation of the effects of the bug on users and * justification for backporting the fix to the stable release. * In addition, it is helpful, but not required, to include an explanation of how the upload fixes this bug. [Test Case] * detailed instructions how to reproduce the bug * these should allow someone who is not familiar with the affected package to reproduce the bug and verify that the updated package fixes the problem. [Where problems could occur] * Think about what the upload changes in the software. Imagine the change is wrong or breaks something else: how would this show up? * It is assumed that any SRU candidate patch is well-tested before upload and has a low overall risk of regression, but it's important to make the effort to think about what ''could'' happen in the event of a regression. * This must '''never''' be "None" or "Low", or entirely an argument as to why your upload is low risk. * This both shows the SRU team that the risks have been considered, and provides guidance to testers in regression-testing the SRU. [Other Info] * Anything else you think is useful to include * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board * and address these questions in advance [Original Description] This happens sometimes when installing auditd on Ubuntu 18.04.2, most installations work successfully, though. Re-running the install also fixes the issue, but the failure breaks our automation. The log from the failure looks like this: # apt install auditd ... Setting up auditd (1:2.8.2-1ubuntu1) ... Created symlink /etc/systemd/system/multi-user.target.wants/auditd.service → /lib/systemd/system/auditd.service. Job for auditd.service failed because a timeout was exceeded. See "systemctl status auditd.service" and "journalctl -xe" for details. invoke-rc.d: initscript auditd, action "start" failed. ● auditd.service - Security Auditing Service Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: failed (Result: timeout) since Tue 2019-09-17 18:43:06 UTC; 11ms ago Docs: man:auditd(8) https://github.com/linux-audit/audit-documentation Process: 9702 ExecStart=/sbin/auditd (code=killed, signal=KILL) Sep 17 18:40:06 compute-node21 systemd[1]: Starting Security Auditing Service... Sep 17 18:40:06 compute-node21 auditd[9703]: Started dispatcher: /sbin/audispd pid: 9705 Sep 17 18:40:06 compute-node21 audispd[9705]: No plugins found, exiting Sep 17 18:41:36 compute-node21 systemd[1]: auditd.service: Start operation timed out. Terminating. Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: State 'stop-sigterm' timed out. Killing. Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Killing process 9702 (auditd) with signal SIGKILL. Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Killing process 9703 (auditd) with signal SIGKILL. Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Control process exited, code=killed status=9 Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Failed with result 'timeout'. Sep 17 18:43:06 compute-node21 systemd[1]: Failed to start Security Auditing Service. dpkg: error processing package auditd (--configure): installed auditd package post-installation script subprocess returned error exit status 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/audit/+bug/1848330/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1848330] Re: Installing auditd sometimes fails in post-inst
** Description changed: - This happens sometimes when installing auditd on Ubuntu 18.04.2, most - installations work successfully, though. Re-running the install also - fixes the issue, but the failure breaks our automation. The log from the - failure looks like this: + [Impact] + + * An explanation of the effects of the bug on users and + + * justification for backporting the fix to the stable release. + + * In addition, it is helpful, but not required, to include an +explanation of how the upload fixes this bug. + + [Test Case] + + * detailed instructions how to reproduce the bug + + * these should allow someone who is not familiar with the affected +package to reproduce the bug and verify that the updated package fixes +the problem. + + [Where problems could occur] + + * Think about what the upload changes in the software. Imagine the change is +wrong or breaks something else: how would this show up? + + * It is assumed that any SRU candidate patch is well-tested before +upload and has a low overall risk of regression, but it's important +to make the effort to think about what ''could'' happen in the +event of a regression. + + * This must '''never''' be "None" or "Low", or entirely an argument as to why +your upload is low risk. + + * This both shows the SRU team that the risks have been considered, +and provides guidance to testers in regression-testing the SRU. + + [Other Info] + + * Anything else you think is useful to include + * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board + * and address these questions in advance + + + [Original Description] + + + This happens sometimes when installing auditd on Ubuntu 18.04.2, most installations work successfully, though. Re-running the install also fixes the issue, but the failure breaks our automation. The log from the failure looks like this: # apt install auditd ... Setting up auditd (1:2.8.2-1ubuntu1) ... Created symlink /etc/systemd/system/multi-user.target.wants/auditd.service → /lib/systemd/system/auditd.service. Job for auditd.service failed because a timeout was exceeded. See "systemctl status auditd.service" and "journalctl -xe" for details. invoke-rc.d: initscript auditd, action "start" failed. ● auditd.service - Security Auditing Service -Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) -Active: failed (Result: timeout) since Tue 2019-09-17 18:43:06 UTC; 11ms ago - Docs: man:auditd(8) -https://github.com/linux-audit/audit-documentation - Process: 9702 ExecStart=/sbin/auditd (code=killed, signal=KILL) + Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) + Active: failed (Result: timeout) since Tue 2019-09-17 18:43:06 UTC; 11ms ago + Docs: man:auditd(8) + https://github.com/linux-audit/audit-documentation + Process: 9702 ExecStart=/sbin/auditd (code=killed, signal=KILL) Sep 17 18:40:06 compute-node21 systemd[1]: Starting Security Auditing Service... Sep 17 18:40:06 compute-node21 auditd[9703]: Started dispatcher: /sbin/audispd pid: 9705 Sep 17 18:40:06 compute-node21 audispd[9705]: No plugins found, exiting Sep 17 18:41:36 compute-node21 systemd[1]: auditd.service: Start operation timed out. Terminating. Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: State 'stop-sigterm' timed out. Killing. Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Killing process 9702 (auditd) with signal SIGKILL. Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Killing process 9703 (auditd) with signal SIGKILL. Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Control process exited, code=killed status=9 Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Failed with result 'timeout'. Sep 17 18:43:06 compute-node21 systemd[1]: Failed to start Security Auditing Service. dpkg: error processing package auditd (--configure): - installed auditd package post-installation script subprocess returned error exit status 1 + installed auditd package post-installation script subprocess returned error exit status 1 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to audit in Ubuntu. https://bugs.launchpad.net/bugs/1848330 Title: Installing auditd sometimes fails in post-inst Status in audit package in Ubuntu: Confirmed Status in audit package in Debian: New Bug description: [Impact] * An explanation of the effects of the bug on users and * justification for backporting the fix to the stable release. * In addition, it is helpful, but not required, to include an explanation of how the upload fixes this bug. [Test Case] * detailed instructions how to reproduce the bug * these should allow someone who is not familiar with the affected
[Touch-packages] [Bug 1848330] Re: Installing auditd sometimes fails in post-inst
I'm having difficulties reproducing the bug, to validate the patch. I build bionic test packages with the patch mentioned earlier, if someone wants to test: https://launchpad.net/~ahasenack/+archive/ubuntu/audit- startup-hang-1848330 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to audit in Ubuntu. https://bugs.launchpad.net/bugs/1848330 Title: Installing auditd sometimes fails in post-inst Status in audit package in Ubuntu: Confirmed Status in audit package in Debian: New Bug description: This happens sometimes when installing auditd on Ubuntu 18.04.2, most installations work successfully, though. Re-running the install also fixes the issue, but the failure breaks our automation. The log from the failure looks like this: # apt install auditd ... Setting up auditd (1:2.8.2-1ubuntu1) ... Created symlink /etc/systemd/system/multi-user.target.wants/auditd.service → /lib/systemd/system/auditd.service. Job for auditd.service failed because a timeout was exceeded. See "systemctl status auditd.service" and "journalctl -xe" for details. invoke-rc.d: initscript auditd, action "start" failed. ● auditd.service - Security Auditing Service Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: failed (Result: timeout) since Tue 2019-09-17 18:43:06 UTC; 11ms ago Docs: man:auditd(8) https://github.com/linux-audit/audit-documentation Process: 9702 ExecStart=/sbin/auditd (code=killed, signal=KILL) Sep 17 18:40:06 compute-node21 systemd[1]: Starting Security Auditing Service... Sep 17 18:40:06 compute-node21 auditd[9703]: Started dispatcher: /sbin/audispd pid: 9705 Sep 17 18:40:06 compute-node21 audispd[9705]: No plugins found, exiting Sep 17 18:41:36 compute-node21 systemd[1]: auditd.service: Start operation timed out. Terminating. Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: State 'stop-sigterm' timed out. Killing. Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Killing process 9702 (auditd) with signal SIGKILL. Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Killing process 9703 (auditd) with signal SIGKILL. Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Control process exited, code=killed status=9 Sep 17 18:43:06 compute-node21 systemd[1]: auditd.service: Failed with result 'timeout'. Sep 17 18:43:06 compute-node21 systemd[1]: Failed to start Security Auditing Service. dpkg: error processing package auditd (--configure): installed auditd package post-installation script subprocess returned error exit status 1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/audit/+bug/1848330/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp